Standard Content Guide - community.microfocus.com · network model, refer to the ArcSight Console User’s Guide or the ESM online Help. To learn To learn more about the architecture

Intrusion Monitoring

for ArcSight ESM™ 6.0c with CORR-Engine

September 14, 2012

Standard Content Guide

Standard Content Guide - Intrusion Monitoring

Copyright © 2012 Hewlett-Packard Development Company, L.P.

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Follow this link to see a complete statement of copyrights and acknowledgements: http://www.hpenterprisesecurity.com/copyright

The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only.

This document is confidential.

Revision History

Document template version: 2.1

Contact Information

Date Product Version Description

09/14/2012 Intrusion Monitoring Content for ESM 6.0c

Final revision for release.

Phone 1-866-535-3285 (North America) +44 203-564-1189 (EMEA) +49 69380789455 (Germany)

Support Web Site http://support.openview.hp.com

Protect 724 Community https://protect724.arcsight.com

http://www.hpenterprisesecurity.com/copyright

http://www.google.com

http://support.openview.hp.com

https://protect724.arcsight.com

Contents

Chapter 1: Intrusion Monitoring Overview .......................................................................... 7

What is Standard Content? ............................................................................................... 7

Standard Content Packages .............................................................................................. 8

Intrusion Monitoring Content ............................................................................................ 9

Chapter 2: Installation and Configuration ......................................................................... 11

Installing the Intrusion Monitoring Package ....................................................................... 11

Configuring Intrusion Monitoring Content .......................................................................... 12

Modeling the Network .............................................................................................. 12

Categorizing Assets ................................................................................................. 13

Configuring Active Lists ............................................................................................ 13

Enabling Rules ........................................................................................................ 14

Configuring the Network Management Filter ................................................................ 14

Configuring Notification Destinations .......................................................................... 15

Configuring Notifications and Cases ........................................................................... 15

Scheduling Reports ................................................................................................. 15

Restricting Access to Vulnerability View Reports .......................................................... 15

Configuring Trends .................................................................................................. 16

Chapter 3: Intrusion Monitoring Content .......................................................................... 17

Alerts from IDS-IPS ....................................................................................................... 19

Devices ................................................................................................................. 19

Resources .............................................................................................................. 19

Anti-Virus Activity and Status ......................................................................................... 22

Devices ................................................................................................................. 22

Resources .............................................................................................................. 22

Attack Rates ................................................................................................................. 27

Devices ................................................................................................................. 27

Configuration ......................................................................................................... 27

Resources .............................................................................................................. 27

Attackers ..................................................................................................................... 37

Devices ................................................................................................................. 37

Resources .............................................................................................................. 37

Business Impact Analysis ............................................................................................... 54

Confidential Standard Content Guide 3

Devices ................................................................................................................. 54

Configuration ......................................................................................................... 54

Resources .............................................................................................................. 54

DoS ............................................................................................................................. 59

Devices ................................................................................................................. 59

Configuration ......................................................................................................... 59

Resources .............................................................................................................. 59

Environment State ........................................................................................................ 66

Devices ................................................................................................................. 66

Resources .............................................................................................................. 66

Login Tracking .............................................................................................................. 74

Devices ................................................................................................................. 74

Configuration ......................................................................................................... 74

Resources .............................................................................................................. 74

Reconnaissance ............................................................................................................ 95

Devices ................................................................................................................. 95

Configuration ......................................................................................................... 95

Resources .............................................................................................................. 96

Regulated Systems .......................................................................................................106

Devices ................................................................................................................106

Configuration ........................................................................................................106

Resources .............................................................................................................106

Resource Access ..........................................................................................................109

Devices ................................................................................................................109

Configuration ........................................................................................................109

Resources .............................................................................................................109

Revenue Generating Systems ........................................................................................119

Devices ................................................................................................................119

Resources .............................................................................................................119

SANS Top 5 Reports .....................................................................................................122

Devices ................................................................................................................122

Resources .............................................................................................................122

SANS Top 20 ...............................................................................................................129

Devices ................................................................................................................129

Configuration ........................................................................................................129

Resources .............................................................................................................129

Security Overview ........................................................................................................145

Devices ................................................................................................................145

Configuration ........................................................................................................145

Resources .............................................................................................................145

Targets .......................................................................................................................155

Devices ................................................................................................................155

Resources .............................................................................................................155

4 Standard Content Guide Confidential

Vulnerability View .........................................................................................................168

Devices ................................................................................................................168

Resources .............................................................................................................168

Worm Outbreak ...........................................................................................................174

Devices ................................................................................................................174

Resources .............................................................................................................174

Index .................................................................................................................................................... 179



Chapter 1

Intrusion Monitoring Overview

This chapter discusses the following topics.

What is Standard Content?Standard content is a series of coordinated resources (filters, rules, dashboards, reports,

and so on) that address common security and management tasks. Standard content is designed to give you comprehensive correlation, monitoring, reporting, alerting, and case management out of the box with minimal configuration. The content provides a full spectrum of security, network, and configuration monitoring tasks, as well as a comprehensive set of tasks that monitor the health of the system.

The standard content is installed using a series of packages, some of which are installed automatically with the Manager to provide essential system health and status operations. The remaining packages are presented as install-time options organized by category.

Standard content consists of the following:

ArcSight System content is installed automatically with the Manager and consists of resources required for basic security processing functions, such as threat escalation and priority calculations, as well as basic throughput channels required for out-of-the-box functionality.

ArcSight Administration content is installed automatically with the Manager, and provides statistics about the health and performance of ArcSight products. ArcSight Administration is essential for managing and tuning the performance of content and components.

ArcSight Foundations content (such as Configuration Monitoring, Intrusion Monitoring, Network Monitoring, NetFlow Monitoring, and Workflow) are presented as install-time options and provide a coordinated system of resources with real-time monitoring capabilities for a specific area of focus, as well as after-the-fact analysis in the form of reports and trends. You can extend these foundations with additional resources specific to your needs or you can use them as a template for building your own resources and tasks.

Shared Libraries - ArcSight Administration and several of the ArcSight Foundations rely on a series of common resources that provide core functionality for common

“What is Standard Content?” on page 7

“Standard Content Packages” on page 8

“Intrusion Monitoring Content” on page 9


1 Intrusion Monitoring Overview

security scenarios. Dependencies between these resources and the packages they support are managed by the Package resource.

Anti-Virus content is a set of filters, reports, and report queries used by ArcSight Foundations, such as Configuration Monitoring and Intrusion Monitoring.

Conditional Variable Filters are a library of filters used by variables in standard content report queries, filters, and rule definitions. The Conditional Variable Filters are used by ArcSight Administration and certain ArcSight Foundations, such as Configuration Monitoring, Intrusion Monitoring, Network Monitoring, and Workflow.

Global Variables are a set of variables used to create other resources and to provide event-based fields that cover common event information, asset, host, and user information, and commonly used timestamp formats. The Global Variables are used by ArcSight Administration and certain ArcSight Foundations.

Network filters are a set of filters required by ArcSight Administration and certain ArcSight Foundations, such as Intrusion Monitoring and Network Monitoring.

Standard Content PackagesStandard content comes in packages (.arb files) that are either installed automatically or presented as an install-time option. The following graphic outlines the packages.

Figure 1-1 The ArcSight System and ArcSight Administration packages at the base provide content required for basic ArcSight functionality. The common packages in the center contain shared resources that support ArcSight Administration and the ArcSight Foundation packages. The packages shown on top are ArcSight Foundations that address common network security and management scenarios.

Depending on the options you install, you will see the ArcSight System resources, the ArcSight Administration resources, and some or all of the other package content.

The ArcSight Express package is present in ESM installations, but is not installed by default. The package offers an alternate view of the Foundation resources. You can install or uninstall the ArcSight Express package without impact to the system.



Intrusion Monitoring ContentThe Intrusion Monitoring content is a coordinated set of resources that identify hostile activity and take appropriate action. The content provides statistics about intrusion-related activity, which can be used for incident investigation as well as routine monitoring and reporting.

The Intrusion Monitoring content targets generic intrusion types as well as specific types of attacks, such as worms, viruses, denial-of-service (DoS) attacks, and more. This content also addresses several of the SANS top 20 list of vulnerable areas.

This guide describes the Intrusion Monitoring content. For information about ArcSight System or ArcSight Administration content, refer to the ArcSight Standard Content Guide - ArcSight System and ArcSight Administration. For information about an optional ArcSight Foundation, refer to the Standard Content Guide for that Foundation. ESM documentation is available on Protect 724 (https://protect724.arcsight.com).

When creating your own packages, you can explicitly include or exclude system resources in the package. Exercise caution if you delete packages that might have system resources; for example, zones. Make sure the system resources either belong to a locked group or are themselves locked. For more information about packages, refer to the ArcSight Console User’s Guide.







Chapter 2

Installation and Configuration

This chapter discusses the following topics.

For information about upgrading standard content, see Appendix A‚ Upgrading Standard Content‚ on page 139.

Installing the Intrusion Monitoring PackageThe Intrusion Monitoring package is one of the standard content packages that are presented as install-time options. If you selected all of the standard content packages to be installed at installation time, the packages and their resources will be installed in the ArcSight database and available in the Navigator panel resource tree. The package icon in the Navigator panel package view will appear blue.

If you opted to exclude any packages at installation time, the package is imported into the

ESM package view in the Navigator panel, but is not available in the resource view. The package icon in the package view will appear grey.

If you do not want the package to be available in any form, you can delete the package.

To install a package that is imported, but not installed:

1 In the Navigator panel Package view, navigate to the package you want to install.

2 Right-click the package and select Install Package.

3 In the Install Package dialog, click OK.

4 When the installation is complete, review the summary report and click OK.

The package resources are fully installed to the ArcSight database, the resources are fully enabled and operational, and available in the Navigator panel resource tree.

To uninstall a package that is installed:

1 In the Navigator Panel Package view, navigate to the package you want to uninstall.

2 Right-click the package and select Uninstall Package.

3 In the Uninstall Package dialog, click OK.

“Installing the Intrusion Monitoring Package” on page 11

“Configuring Intrusion Monitoring Content” on page 12


2 Installation and Configuration

The progress of the uninstall displays in the Progress tab of the Uninstalling Packages dialog. If a message displays indicating that there is a conflict, select an option in the Resolution Options area and click OK.

4 When uninstall is complete, review the summary and click OK.

The package is removed from the ArcSight database and the Navigator panel resource tree, but remains available in the Navigator panel package view, and can be re-installed at another time.

To delete a package and remove it from the Console and the database:

1 In the Navigator Panel Package view, navigate to the package you want to delete.

2 Right-click the package and select Delete Package.

3 When prompted for confirmation of the delete, click Delete.

The package is removed from the Navigator panel package view.

Configuring Intrusion Monitoring ContentThe list below shows the general tasks you need to complete to configure Intrusion Monitoring content with values specific to your environment.

“Modeling the Network” on page 12

“Categorizing Assets” on page 13

“Configuring Active Lists” on page 13

“Enabling Rules” on page 14

“Configuring the Network Management Filter” on page 14

“Configuring Notification Destinations” on page 15

“Configuring Notifications and Cases” on page 15

“Scheduling Reports” on page 15

“Restricting Access to Vulnerability View Reports” on page 15

“Configuring Trends” on page 16

Modeling the NetworkA network model keeps track of the network nodes participating in the event traffic. Modeling your network and categorizing critical assets using the standard asset categories is what activates some of the standard content and makes it effective.

There are several ways to model your network. For information about populating the network model, refer to the ArcSight Console User’s Guide or the ESM online Help. To learn more about the architecture of the ESM network modeling tools, refer to the ESM 101 guide.



Categorizing AssetsAfter you have populated your network model with assets, apply the standard asset categories to activate standard content that uses these categories.

Categorize all assets (or the zones to which the assets belong) that are internal to the network with the /All Asset Categories/Site Asset Categories/ Address Spaces/Protected category.

Internal Assets are assets inside the company network. Assets that are not categorized as internal to the network are considered to be external. Make sure that you also categorize assets that have public addresses but are controlled by the organization (such as web servers) as Protected.

Categorize all assets that are considered critical to protect (including assets that host proprietary content, financial data, cardholder data, top secret data, or perform functions critical to basic operations) with the /All Asset Categories/System Asset Categories/Criticality/High or Very High category.

The asset categories most essential to basic event processing are those used by the Priority Formula to calculate an event’s criticality. Asset criticality is one of the four factors used by the Priority Formula to generate an overall event priority rating.

Asset categories can be assigned to assets, zones, asset groups, or zone groups. If assigned to a group, all resources under that group inherit the categories.

You can assign asset categories individually using the Asset editor or in a batch using the Network Modeling wizard. For information about how to assign asset categories using the Console tools, refer to the ArcSight Console User’s Guide or the ESM online Help.

For more about the Priority Formula and how it leverages these asset categories to help assign priorities to events, refer to the ArcSight Console User’s Guide or the ESM 101 guide.

Configuring Active ListsThe standard content includes active lists. Certain active lists are populated automatically during run-time by rules. You do not have to add entries to these active lists manually before you use them. Other active lists are designed to be populated manually with data specific to your environment. After the lists are populated with values, they are cross-referenced by active channels, filters, rules, reports, and data monitors to give ESM more information about the assets in your environment.

Intrusion Monitoring content uses the following active lists that you need to populate manually:

Populate the /ArcSight System/Attackers/Trusted List active list with the IP sources on your network that are known to be safe.

Populate the /ArcSight System/Attackers/Untrusted List active list with the IP sources on your network that are known to be unsafe.

Assets with a private IP address (such as 192.168.0.0) are considered Protected by the system, even if they are not categorized as such.



You can add entries manually to active lists using the following methods. Both methods are described in the ArcSight Console User’s Guide.

One by one using the Active List editor in the ArcSight Console.

In a batch by importing values from a CSV file.

Enabling RulesESM rules trigger only if they are deployed in the Real-Time Rules group and are enabled. The Intrusion Monitoring rules are all deployed by default in the Real-Time Rules group and are also enabled.

To disable a rule:

1 In the Navigator panel, go to Rules and navigate to the Real-time Rules group.

2 Navigate to the rule you want to disable.

3 Right-click the rule and select Disable Rule.

Configuring the Network Management FilterThe Network Management filter (/All Filters/ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Network Management) identifies events from two network management devices: HP VPO and Cisco NetFlow. If you use a network management device other than these, modify this filter with the Device Vendor and Device Product name of the device you use. The example below shows the default conditions in the Network Management filter.

You can add to these conditions, or remove the existing ones and create new ones.

This filter is required by the Event Counts by Hour data monitor (/All Data Monitors/ArcSight Foundation/Intrusion Monitoring/Operational

Summaries/Security Activity Statistics/Event Counts by Hour).



Configuring Notification DestinationsConfigure notification destinations if you want to be notified when some of the standard content rules are triggered. By default, notifications are disabled in the standard content rules, so the admin user needs to configure the destinations and enable the notification in the rules. For details about enabling the notifications in rules, see Configuring Notifications and Cases, below.

Intrusion Monitoring rules reference two notification groups: CERT Team and SOC Operators. Add new destinations for notification levels 1, 2, and 3 as appropriate to the personnel in your security operations center. Refer to the ArcSight Console User’s Guide or the ESM online Help for information on how to configure notification destinations.

Configuring Notifications and CasesStandard content depends on rules to send notifications and open cases when conditions are met. Notifications and cases are how users can track and resolve the security issues that the content is designed to find.

By default, the notifications and create case actions are disabled in the standard content rules that send notifications about security-related events to the Cert Team notification group.

To enable rules to send notifications and open cases, first configure notification destinations as described in “Configuring Notification Destinations” on page 15, then enable the notification and case actions in the rules.

For more information about working with rule actions in the Rules Editor, refer to the ArcSight Console User’s Guide or the ESM online Help.

Scheduling ReportsYou can run reports on demand, automatically on a regular schedule, or both. By default, reports are not scheduled to run automatically.

Evaluate the reports that come with Intrusion Monitoring, and schedule the reports that are of interest to your organization and business objectives. For instructions about how to schedule reports, refer to the ArcSight Console User’s Guide or the ESM online Help.

Restricting Access to Vulnerability View ReportsThe Vulnerability View detail reports display a list of vulnerabilities generated by scanner report events, and are therefore considered sensitive material. By default, the reports are configured with read access for Administrators, Default User Groups, and Analyzer Administrators. Administrators and Analyzer Administrators also have write access to this group.

To eliminate these events from view, you need to create a special filter and apply the filter to the appropriate users groups. Before deciding whether to restrict access to the Vulnerability View reports, be aware of the following:

Because access is inherited, the parent group must have the same or more liberal permissions than the vulnerability reports.

If you need to move the reports to a group with tighter permissions, also move the trends and queries that support them, in both the Detail and Operational Summaries sections.



To get a complete view of the resources attached to these reports, run a resource graph on the individual filters or the parent group (right-click the resource or group and select Graph View).

Configuring TrendsTrends are a type of resource that can gather data over longer periods of time, which can be leveraged for reports. Trends streamline data gathering to the specific pieces of data you want to track over a long range, and breaks the data gathering up into periodic updates. For long-range queries, such as end-of-month summaries, trends greatly reduce the burden on system resources. Trends can also provide a snapshot of which devices report on the network over a series of days.

Intrusion Monitoring content includes several trends, some of which are enabled by default. These enabled trends are scheduled to run on an alternating schedule between the hours of midnight and 7:00 a.m., when network traffic is usually less busy than during peak daytime business hours. These schedules can be customized to suit your needs using the Trend scheduler in the ArcSight Console.

To disable or enable a trend, go to the Trend tab from the Reports drop-down list in the Navigator panel, right-click the trend, then select Disable Trend or Enable Trend.

For more information about trends, refer to the the ArcSight Console User’s Guide or the ESM online Help.

Before you enable a disabled trend, you must first change the default start date in the Trend editor.

If the start date is not changed, the trend takes the default start date (derived from when the trend was first installed), and backfills the data from that time. For example, if you enable the trend six months after the first install, these trends try to get all the data for the last six months, which might cause performance problems, overwhelm system resources, or cause the trend to fail if that event data is not available.


Chapter 3

Intrusion Monitoring Content

In this section, the Intrusion Monitoring resources are grouped together based on the functionality they provide. The Intrusion Monitoring groups are listed in the table below.

Resource Group Purpose

“Alerts from IDS-IPS” on page 19

The Alerts from IDS-IPS resources provide information about alerts from Intrusion Detection Systems and Intrusion Prevention Systems.

“Anti-Virus Activity and Status” on page 22

The Anti-Virus Activity and Status resources provide information about virus activity by using two moving average data monitors that track increases in virus activity either by zone or by host, and the Virus Activity event graph.

“Attack Rates” on page 27

The Attack Rates resources provide information about changes in attack activity by either service or target zone. The reports are driven by moving average data monitors. The dashboards display the appropriate data monitors for a view of the areas (services and target zones), to assist in determining whether the network is being attacked in a general sense, or if the attacks focus on specific network areas.

“Attackers” on page 37 The Attackers resources provide statistics about attackers (such as reporting device, target host, target port, and ArcSight priority), views of attackers (by attacker port and, when available, by protocol), and statistics about attackers by using top and bottom 10 lists. The bottom 10 lists can be useful for tracking the attackers who are trying to avoid detection by the low-and-slow method (low volume over a long period of time).

“Business Impact Analysis” on page 54

The Business Impact Analysis resources provide information about which business areas are the victims of the most attack activity.

“DoS” on page 59 The DoS (Denial of Service) resources use moving average data monitors and categorized events with the technique set to /DoS to help determine when a DoS is taking place. The data monitors highlight high-volume activity that might result in a DoS. The categorized events (mostly from an IDS) can show DoS events that do not require exceeding bandwidth or processing limitations.

“Environment State” on page 66

The Environment State resources provide information about activity that reflects the state of the overall network, and provide details about applications, operating systems and services.

“Login Tracking” on page 74

The Login Tracking resources provide information about user logins.


3 Intrusion Monitoring Content

“Reconnaissance” on page 95

The Reconnaissance resources expand on the ArcSight Core reconnaissance rules, and provide insight into the different types of reconnaissance directed at the network or parts of the network. This content breaks down reconnaissance activity by type. Dashboards show what parts of the network are being scanned and how.

“Regulated Systems” on page 106

The Regulated Systems resources focus on events related to assets that have been categorized as one of the compliance requirement asset categories, such as HIPAA, Sarbanes-Oxley, and FIPS-199.

“Resource Access” on page 109

The Resource Access resources focus on access events, broken down by resource types, such as (database, email, files, and so on) and track this access by user. The brute force resource activity is included here. There are session lists that track the duration of an access session by user, and the duration of access sessions that took place after a brute force login attack.

“Revenue Generating Systems” on page 119

The Revenue Generating Systems resources provide reports that focus on attacked or compromised systems that have been categorized in the Revenue Generation category under Business Impact Analysis/Business Roles.

“SANS Top 5 Reports” on page 122

The SANS Top 5 Reports resources provide information that helps address the SANS Institute's list of recommendations of what every IT staff should know about their network at a minimum, based on the Top 5 Essential Log Reports.

“SANS Top 20” on page 129

The SANS Top 20 resources provide the context for a series of email and operating system rules that look for specific events that relate to vulnerabilities. The SANS Top 20 reports show assets where these vulnerabilities have been compromised.

“Security Overview” on page 145

The Security Overview resources provide information of interest to executive level personnel.

“Targets” on page 155 The Targets resources provide security information focused on target information.

“Vulnerability View” on page 168

The Vulnerability View resources provide information about assets and their vulnerabilities, with an active channel that focuses on vulnerability scanner reports. These resources present two major reports that are a variation on the list of assets and the list of vulnerabilities.

“Worm Outbreak” on page 174

The Worm Outbreak resources provide information about worm activity and the affect a worm has had on the network.

Resource Group Purpose



Alerts from IDS-IPSThe Alerts from IDS-IPS resources provide information about alerts from Intrusion Detection Systems and Intrusion Prevention Systems.

DevicesThe following device types can supply events that apply to the resources in the Alerts from IDS-IPS resource group:

Firewalls

Intrusion Detection Systems

Intrusion Prevention Systems

Operating systems

ResourcesThe following table lists all the resources in the Alerts from DS-IPS resource group and any dependant resources.

Table 3-1 Resources that Support the Alerts from IDS-IPS Group

Resource Description Type URI

Monitor Resources

Top Alerts from IDS and IPS

This report shows the top alerts originating from Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).

Report ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/5 - Suspicious or Unauthorized Network Traffic Patterns/

Alert Counts per Hour

This report shows the total count of IDS and IPS alerts per hour within the past 24 hours (by default).

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/

Alert Counts by Device

This report shows the count of IDS and IPS alerts by device. A chart shows the top 10 device addresses with the highest counts. A table shows a list of all the devices, grouped by device vendor and product, then sorted by count.


Alert Counts by Port

This report shows the count of IDS and IPS alerts by destination port. A chart shows the top 10 ports with the highest counts. A table shows a list of all the counts sorted in descending order.




Alert Counts by Severity

This report shows the total count of IDS and IPS alerts by severity (agent severity). A chart shows the count of alerts by severity. A table shows the count of alerts by severity, device vendor, and device product.


Alert Counts by Type

This report shows the count of IDS and IPS alerts by type (category technique). A chart shows the top 10 alert counts. A table shows a list of all the counts sorted by descending order.


Library Resources

IDS -IPS Events

This filter identifies Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) events.

Filter ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/

All Events This filter matches all events. Filter ArcSight System/Core

Top 10 Alerts This report shows the top alerts that originate from Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).

Focused Report

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/

Alert Counts by Severity (Chart)

This query returns the count of IDS and IPS alerts by severity (agent severity).

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/

Alert Counts by Port

This query returns the count of IDS and IPS alerts by destination port.


Alert Counts by Type

This query returns the count of IDS and IPS alerts by type (category technique).


Top IDS and IPS Alerts

This query returns IDS and IPS alert events, selecting the device event class ID, event name, device vendor, device product, and a count on the end time of the event.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/5 - Suspicious or Unauthorized Network Traffic Patterns/Top Alerts from IDS/

Alert Counts by Severity

This query retrieves the count of IDS and IPS alerts by severity (agent severity), device vendor, and device product.


Alert Counts by Device

This query retrieves the count of IDS and IPS alerts by device vendor, product, zone, address, and hostname.





Alert Counts per Hour

This query retrieves the count of IDS and IPS alerts per hour.





Anti-Virus Activity and StatusThe Anti-Virus Activity and Status resources provide information about virus activity by using two moving average data monitors that track increases in virus activity either by zone or by host, and the Virus Activity event graph.

DevicesThe following device types can supply events that apply to the resources in the Anti-Virus Activity and Status resource group:

Firewalls



Vulnerability scanners

ResourcesThe following table lists all the resources in the Anti-Virus Activity and Status resource group and any dependant resources.

Table 3-2 Resources that Support the Anti-Virus Activity and Status Group


Monitor Resources

Virus Activity Statistics

This dashboard displays data monitors describing virus activity. The Virus Activity by Zone and Virus Activity by Host data monitors are moving average graphs grouping by virus name, target zone resource, and address and customer resource.

Dashboard ArcSight Foundation/Intrusion Monitoring/Detail/Virus/

Anti-Virus Overview

This dashboard shows an overview of the top infections, the top infected systems, and the most recent and top anti-virus error events.


Virus Activity Overview

This dashboard displays data monitors describing virus activity and is based on the Virus Activity Statistics dashboard. The Virus Activity data monitor shows a graph view of the viruses, their relationships to the infected systems, and the relationships of the infected systems to the network zones. The Virus Activity by Zone and Virus Activity by Host data monitors are moving average graphs grouping by virus name, target zone resource, and address and customer resource.




Errors Detected in Anti-Virus Deployment

This report displays the hosts reporting the most anti-virus errors for the previous day and includes the anti-virus product, host details, error information, and the number of errors.

Report ArcSight Foundation/Common/Anti-Virus/

Top Infected Systems

This report displays summaries of the systems reporting the most infections in the previous day.


Failed Anti-Virus Updates

This report displays a table with the anti-virus vendor and product name as well as the hostname, zone and IP address of the host on which the update failed. The time (EndTime) at which the update failed is also displayed. This report runs against events that occurred yesterday.


Virus Activity by Time

This report displays malware activity by hour for the previous day by hour and priority.


Update Summary

This report displays a summary of the results of anti-virus update activity by zones since yesterday.


Library Resources

Top 10 Infected Systems

This data monitor shows the top 10 systems with events matching the AV - Found Infected filter (the category device group starts with /IDS/Host/Antivirus, the category outcome is Failure and the category behavior is /Found/Vulnerable).

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Virus/Anti-Virus Overview/

Top 10 Anti-Virus Errors


Data Monitor


Virus Activity This data monitor shows virus activity on the network.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Virus/Virus Activity Overview/

Top 10 Infections


Data Monitor





Virus Activity by Host

This data monitor shows the most active hosts with virus activity on the network.

Data Monitor


Virus Activity by Zone

This data monitor shows the most active zones with virus activity on the network.

Data Monitor


Last 10 Anti-Virus Errors

This data monitor tracks the last anti-virus error events, displaying the time of occurrence, the priority, the vendor information, and the device information.

Data Monitor


Anti-Virus Events

This filter identifies events with the category device group of /IDS/Host/Antivirus.

Filter ArcSight Foundation/Common/Anti-Virus/

Virus Activity This filter detects virus activity reported by either an IDS or a anti-virus application. The filter classifies virus events in two ways: The category object starts With /Vector/Virus or /Host/Infection/Virus or the category behavior is /Found/Vulnerable, starts with /Modify/Content or /Modify/Attribute, and has a category device group of /IDS/Host/Antirvirus and the Device Custom String1 is set to some value.


Target Address is NULL

This filter is designed for conditional expression variables. The filter identifies events in which the target address is NULL.

Filter ArcSight Foundation/Common/Conditional Variable Filters/Host/

AV - Found Infected

This filter identifies all events in which the category device group starts with /IDS/Host/Antivirus, the category outcome is Failure and the category behavior is /Found/Vulnerable.


Anti-Virus Errors

This filter identifies events where the category device group is /IDS/Host/Antivirus, the category object starts with /Host/Application, the category outcome is not Success, and the category significance starts with Informational.


Target Host Name is NULL

This filter is designed for conditional expression variables. The filter identifies events in which the Target Host Name is NULL.





Update Events This filter identifies events related to anti-virus product data file updates.


Target Zone is NULL

This filter is designed for conditional expression variables. The filter identifies events in which the Target Zone is NULL.



AV - Failed Updates

This filter identifies all anti-virus update events (based on the Update Events filter), where the category outcome is Failure.


Infected Systems

This query identifies data matching the AV - Found Infected filter (the category device group starts with /IDS/Host/Antivirus, the category outcome is Failure and the category behavior is /Found/Vulnerable), and returns the host information and a count of the infections per host.

Query ArcSight Foundation/Common/Anti-Virus/Top Infected Systems/

Failed Anti-Virus Updates

This query identifies the device vendor, device product target zone name, target host name, and target address and time (EndTime) from events that match the AV - Failed Updates filter.

Query ArcSight Foundation/Common/Anti-Virus/

Failed Anti-Virus Updates Chart

This query identifies the target zone name and the sum of the aggregated event count from events that match the AV - Failed Updates filter.


Virus Activity by Hour

This query identifies data matching the AV - Found Infected filter (the category device group starts with /IDS/Host/Antivirus, the category outcome is Failure, and the category behavior is /Found/Vulnerable). This query returns the time, priority, virus activity, and a count of activity occurrences.

Query ArcSight Foundation/Common/Anti-Virus/Virus Activity by Time/

Top Zones with Anti-Virus Errors

This query identifies data from events in which the category device group is /IDS/Host/Antivirus, the category object starts with /Host/Application, the category outcome is not Success, and the category significance starts with Informational. The query returns the zone and the number of times the error occurred.

Query ArcSight Foundation/Common/Anti-Virus/Errors/




Anti-Virus Errors

This query identifies data from events where the category device group is /IDS/Host/Antivirus, the category object starts with /Host/Application, the category outcome is not Success, and the category significance starts with Informational. The query returns the priority, vendor information, host information, error name, and the number of times the error occurred.


Update Summary Chart

This query identifies the target zone name, category outcome, and the sum of the aggregated event count from events that match the Update Events filter.


Top Infected Systems

This query identifies data matching the AV - Found Infected filter (the category device group starts with /IDS/Host/Antivirus, the category outcome is Failure and the category behavior is /Found/Vulnerable), and returns the host zone and a count of the infections per zone.

Query ArcSight Foundation/Common/Anti-Virus/Top Infected Systems/

Top Anti-Virus Errors

This query identifies data from events where the category device group is /IDS/Host/Antivirus, the category object starts with /Host/Application, the category outcome is not Success, and the category significance starts with Informational. The query returns the error name and the number of times the error occurred.


Update Summary

This query identifies the target zone name, target host name, target address, device vendor, device product, category outcome, and the sum of the aggregated event count from events that match the Update Events filter.





Attack RatesThe Attack Rates resources provide information about changes in attack activity by either service or target zone. The reports are driven by moving average data monitors. The dashboards display the appropriate data monitors for a view of the areas (services and target zones), to assist in determining whether the network is being attacked in a general sense, or if the attacks focus on specific network areas.

DevicesThe following device types can supply events that apply to the Attack Rates resource group:

Firewalls



Operating systems

ConfigurationThe Attack Rates resource group requires the following configuration for your environment:

Enable the following trends:

Prioritized Attack Counts by Target Zone—This trend is used by the Prioritized Attack Counts by Target Zone - Last 24 Hours report.

Prioritized Attack Counts by Service—This trend is used by the Prioritized Attack Counts by Service - Last 24 Hours report.

ResourcesThe following table lists all the resources in the Attack Rates resource group and any dependant resources.

Table 3-3 Resources that Support the Attack Rates Group


Monitor Resources

Attack Rates by Zones

This dashboard provides a broad overview of the attack rates in target zones and attacker zones.

Dashboard ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/

Top 10 Attack Rate Statistics by Service

This dashboard provides a top 10 view of the attack rates by service. The view includes the target services (defined as the service name and port), the target services broken down by target zones, and the target services broken down by attacker zones.




Customer Attack Rates by Service

This dashboard provides an overview of the attack rates by service. The overview includes the target service (defined as the service name and port), the target services broken down by target zones, and the target services broken down by attacker zones. The overview is broken down by customer.

Dashboard ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/By Customer/

Top 10 Customer Attack Rate Statistics by Service

This dashboard shows a top 10 view of the attack rates by service. The view includes the target services (defined as the service name and port), the target services broken down by target zones, and the target services broken down by attacker zones. Each area is also broken down by customer.


Top 10 Customer Attack Rate Statistics by Service and Zones

This dashboard shows a top 10 view of the attack rates by service. The dashboard shows the target services (defined as the service name and port), the target services broken down by target zones, and the target services broken down by attacker zones. The overview is broken down by customer.


Top 10 Attack Rate Statistics by Zones

This dashboard provides a top 10 view of the attack rates in target zones and attacker zones.


Attack Rates by Service and Zones

This dashboard displays an overview of the attack rates by service. The overview includes the target service (defined as the service name and port), the target services broken down by target zones, and the target services broken down by attacker zones.


Customer Attack Rates by Service and Zones

This dashboard provides an overview of the attack rates by service. The overview includes the target service (defined as the service name and port), the target services broken down by target zones, and the target services broken down by attacker zones. Each area is also broken down by customer.





Top 10 Attack Rate Statistics by Service and Zones

This dashboard provides a top 10 view of the attack rates by service. The dashboard view includes the target services (defined as the service name and port), the target services broken down by target zones, and the target services broken down by attacker zones.


Customer Attack Rates by Zones

This dashboard displays a broad overview of the attack rates in target zones and attacker zones. Each zone is also broken down by customer.


Top 10 Customer Attack Rate Statistics by Zones

This dashboard shows a top 10 view of the attack rates in target zones and attacker zones. Each zone is also broken down by customer.


Attack Rates by Service

This dashboard provides an overview of the attack rates by service. The overview includes the target service (defined as the service name and port), the target services broken down by target zones, and the target services broken down by attacker zones.


Prioritized Attack Counts by Target Zone - Last 24 Hours

This report displays each target zone with the counts of the events separated by priority. A detailed table shows the event counts for each zone subtotaled for each zone, with a total for all zones at the end.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/

Prioritized Attack Counts by Service - Last 24 Hours

This report displays the target services by priority and the associated number of attack events for the previous day. The service displayed is a combination of the transport protocol, the application protocol, and the port number. A detailed table shows each target service and the number of attack events associated with the target service by priority for the same time period.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/

Trend: Prioritized Attack Counts by Service - Last 24 Hours

This report displays the target zones and the associated number of service events per hour. A detailed table shows each target zone and the number of attack events associated with the target zone by hour and priority.

Report ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Attack Monitoring/Attack Rates/




Trend: Prioritized Attack Counts by Target Zone - Last 24 Hours

This report displays the target zones and the associated number of attack events per hour. A detailed table shows each target zone and the number of attack events associated with the target zone by hour and priority.

Report ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Attack Monitoring/Attack Rates/

Library Resources

Attack Rates by Targeted Zone

This data monitor follows the possible attack counts for up to 20 target services by target zones (service is defined as the service name and port), at five minute intervals over an hour. The data monitor send alerts at no more than 10 minute intervals. The display refreshes every 30 seconds.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/Attack Rates by Zone/

Attack Rates by Service

This data monitor follows the possible attack counts for up to 20 target services (service is defined as the transport protocol, service name and port), at five minute intervals over an hour. The data monitor sends alerts at no more than 10 minute intervals. The display refreshes every 30 seconds.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/Attack Rates by Service/

Attacker Zones by Service and Customer

This data monitor follows the possible attack counts for up to 20 target services (service is defined as the transport protocol, service name and port) by attacker zone, at five minute intervals over an hour. The data monitor sends alerts at no more than 10 minute intervals. The display refreshes every 30 seconds. The services are also broken down by customer.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/By Customer/Customer Attack Rates by Service and Zones/

Attack Rates by Service and Customer

This data monitor follows the possible attack counts for up to 20 target services (service is defined as the transport protocol, service name and port), at five minute intervals over an hour. The data monitor sends alerts at no more than 10 minute intervals. The display refreshes every 30 seconds. The services are also broken down by customer.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/By Customer/Customer Attack Rates by Service/




Attack Rates by Attacker Zone and Customer

This data monitor follows the possible attack counts for up to 20 target services by attacker zones (service is defined as the service name and port), at five minute intervals over an hour. The data monitor sends alerts at no more than 10 minute intervals. The display refreshes every 30 seconds. The services are also broken down by customer.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/By Customer/Customer Attack Rates by Zone/

Top 10 Targeted Zones by Service

This data monitor follows the possible attack counts for the top 10 targeted zones and targeted services (service is defined as the transport protocol, service name and port), at five minute intervals over an hour. The data monitor refreshes every 30 seconds.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/Top 10 Attack Rate Statistics by Service and Zones/

Top 10 Attacker Zones by Service

This data monitor follows the possible attack counts for the top 10 targeted services (service is defined as the transport protocol, service name and port), at five minute intervals over an hour. The display refreshes every 30 seconds.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/Top 10 Attack Rate Statistics by Service and Zones/

Targeted Zones by Service and Customer

This data monitor follows the possible attack counts for up to 20 target services (service is defined as the transport protocol, service name and port) by target zone, at five minute intervals over an hour. The data monitor sends alerts at no more than 10 minute intervals. The display refreshes every 30 seconds. The services are also broken down by customer.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/By Customer/Customer Attack Rates by Service and Zones/

Top 10 Targeted Zones by Service and Customer

This data monitor follows the possible attack counts for the top 10 targeted zones and targeted services (service is defined as the transport protocol, service name and port), at five minute intervals over an hour. The display refreshes every 30 seconds. The services are also broken down by customer.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/By Customer/Top 10 Customer Attack Rate Statistics by Service and Zones/




Top 10 Targeted Zones by Customer

This data monitor follows the possible attack counts for the top 10 targeted services by targeted zones (service is defined as the service name and port), at five minute intervals over an hour. The display refreshes every 30 seconds. The services are also broken down by customer.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/By Customer/Top 10 Customer Attack Rate Statistics by Zones/

Attack Rates by Attacker Zone

This data monitor follows the possible attack counts for up to 20 target services by attacker zones (service is defined as the service name and port), at five minute intervals over an hour. The data monitor send alerts at no more than 10 minute intervals. The display refreshes every 30 seconds.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/Attack Rates by Zone/

Top 10 Attacked Services

This data monitor follows the possible attack counts for the top 10 attacker zones and targeted services (service here is defined as the transport protocol, service name and port), at five minute intervals over an hour. The display refreshes every 30 seconds.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/Top 10 Attack Rate Statistics by Service/

Attack Rates by Targeted Zone and Customer

This data monitor follows the possible attack counts for up to 20 target services by target zones (service is defined as the service name and port), at five minute intervals over an hour. The data monitor sends alerts at no more than 10 minute intervals. The display refreshes every 30 seconds. The services are also broken down by customer.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/By Customer/Customer Attack Rates by Zone/

Top 10 Attacker Zones

This data monitor follows the possible attack counts for the top 10 targeted services by attacker zones (service is defined as the service name and port), at five minute intervals over an hour. The display refreshes every 30 seconds.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/Top 10 Attack Rate Statistics by Zone/




Top 10 Attacker Zones by Service and Customer

This data monitor follows the possible attack counts for the top 10 attacker zones and targeted services (service is defined as the transport protocol, service name and port), at five minute intervals over an hour. The display refreshes every 30 seconds. The services are also broken down by customer.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/By Customer/Top 10 Customer Attack Rate Statistics by Service and Zones/

Top 10 Targeted Zones

This data monitor follows the possible attack counts for the top 10 targeted services by targeted zones (service is defined as the service name and port), at five minute intervals over an hour. The display refreshes every 30 seconds.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/Top 10 Attack Rate Statistics by Zone/

Attacker Zones by Service

This data monitor follows the possible attack counts for up to 20 target services (service is defined as the transport protocol, service name and port) by attacker zone, at five minute intervals over an hour. The data monitor sends alerts at no more than 10 minute intervals. The display refreshes every 30 seconds.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/Attack Rates by Service and Zones/

Top 10 Targeted Services by Customer

This data monitor follows the possible attack counts for the top 10 targeted services (service is defined as the transport protocol, service name and port), at five minute intervals over an hour. The display refreshes every 30 seconds. The services are also broken down by customer.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/By Customer/Top 10 Customer Attack Rate Statistics by Service/

Targeted Zones by Service

This data monitor follows the possible attack counts for up to 20 target services (service is defined as the transport protocol, service name and port) by target zone, at five minute intervals over an hour. The data monitor sends alerts at no more than 10 minute intervals. The display refreshes every 30 seconds.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/Attack Rates by Service and Zones/

Top 10 Attacker Zones by Customer

This data monitor follows the possible attack counts for the top 10 targeted services by attacker zones (service is defined as the service name and port), at five minute intervals over an hour. The display refreshes every 30 seconds. The services are also broken down by customer.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/By Customer/Top 10 Customer Attack Rate Statistics by Zones/




Application Protocol is not NULL

This filter identifies if an event has an entry for the Application Protocol field.

Filter ArcSight Foundation/Common/Conditional Variable Filters/Protocol/

Possible Attack Events

This filter retrieves events in which the category significance is Compromise, Hostile or Suspicious. Note: There is no restriction on whether the target is an internal or external system.

Filter ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Attack Rates/

Target Service Name is not NULL

This filter identifies if an event has an entry for the Target Service Name field.


Target Port is not NULL

This filter identifies if an event has an entry for the Target Port field.


Transport Protocol is not NULL

This filter identifies if an event has an entry for the Transport Protocol field.


Prioritized Attack Counts by Service - Last Hour

This query identifies the service (the Service Variable, defined as the transport name/service name: port) and priority, and sums the aggregated event count from events matching the Possible Attack Events filter over the last hour.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/

Prioritized Attack Counts by Service Query on Trend

This query identifies the hour, service name (Application Protocol Name/Transport Protocol Name: Target Port), and priority, and sums the number of events for that service for the Trend: Prioritized Attack Counts by Service - Last 24 Hours report.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Attack Monitoring/Attack Rates/

Attack Counts by Target Zone Query on Trend

This query on the Prioritized Attack Counts by Target Zone trend identifies the hour and target zone name, and sums the number of events for that service for the Trend: Prioritized Attack Counts by Target Zone - Last 24 Hours report.


Prioritized Attack Counts by Target Zone - Last Hour

This query identifies the target zone name and priority, and Sums the aggregated event count from events matching the Possible Attack Events filter over the last hour.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attack Rates/




Attack Counts by Service Query on Trend

This query on the Prioritized Attack Counts by Service trend identifies the hour and service name (Application Protocol Name/Transport Protocol Name: Target Port), and sums the number of events for that service for the Trend: Prioritized Attack Counts by Service - Last 24 Hours report.


Prioritized Attack Counts by Target Zone Query on Trend

This query on the Prioritized Attack Counts by Target Zone trend identifies the hour, target zone name, and priority and sums the number of events for that service for the Trend: Prioritized Attack Counts by Target Zone - Last 24 Hours report.


Prioritized Attack Counts by Target Zone - Trend

This query populates the Prioritized Attack Counts by Target Zone trend. The query identifies the hour, target zone name, and priority and Sums the aggregated event count. The hour is used so that the data can be plotted based on the hour in which the event occurred, not the trend timestamp (the time the event data was stored in the trend).

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Attack Monitoring/Attack Rates/Trend Queries/

Prioritized Attack Counts by Service - Trend

This query populates the Prioritized Attack Counts by Service trend. The query identifies the hour, service (a variable based on the service name or application protocol, the transport protocol, and the port; for example: HTML/TCP:80), and priority and sums the aggregated event count. The hour is used so that the data can be plotted based on the hour in which the event occurred, not the trend timestamp (the time the event data was stored in the trend).

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Attack Monitoring/Attack Rates/Trend Queries/

Prioritized Attack Counts by Target Zone

This trend contains data selected by the query Prioritized Attack Counts by Target Zone - trend, which identifies the hour, target zone, and priority and sums the aggregated event count. The hour is used so that the data can be plotted based on the hour in which the event occurred. Note: This trend is not enabled by default.

Trend ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Attack Monitoring/Attack Rates/




Prioritized Attack Counts by Service

This trend contains data selected by the query Prioritized Attack Counts by Service - Trend, which identifies the hour, service (a variable based on the service name or application protocol, transport protocol, and port; for example: HTML/TCP:80), and priority and sums the aggregated event count. The hour is used so that the data can be plotted based on the hour in which the event occurred. Note: This trend is not enabled by default.

Trend ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Attack Monitoring/Attack Rates/




AttackersThe Attackers resources provide statistics about attackers (such as reporting device, target host, target port, and ArcSight priority), views of attackers (by attacker port and, when available, by protocol), and statistics about attackers by using top and bottom 10 lists. The bottom 10 lists can be useful for tracking the attackers who are trying to avoid detection by the low-and-slow method (low volume over a long period of time).

DevicesThe following device types can supply events that apply to the Attackers resource group:

Firewalls



Operating systems

ResourcesThe following table lists all the resources in the Attackers resource group and any dependant resources.

Table 3-4 Resources that Support the Attackers Group


Monitor Resources

Target Counts by Attacker Port

This report displays the attacker port, target zone name, target address, and the count of attack events (where the category significance starts with Compromise or Hostile).

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attackers/By Port or Protocol/

Denied Outbound Connections by Port

This report shows a summary of the denied outbound traffic by destination port. A chart shows the top 10 ports with the highest denied connections count. The reports lists all the ports sorted by connection count.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attackers/By Device Type/Firewall/

Top Users by Average Session Length

This report shows duration information about VPN connections for each user. A summary of the top VPN connection duration by user is provided. Details of each user's connection durations are also provided, including minimum, average, maximum, and total connection minutes. Also included are details of connections that are open at the time the report is run.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attackers/By Device Type/VPN/



Denied Outbound Connections per Hour

This report shows a summary of the denied outbound traffic per hour. A chart shows the total number of denied connections per hour for the previous day (by default. A table shows the connection count per hour grouped by source zone.


Attacker Counts by Attacker Port

This report displays the attacker port, attacker zone name, attacker address, and the count of attack events (where the category significance starts with Compromise or Hostile).


Connection Counts by User

This report shows count information about connections for each user reported by Identity Management devices. A summary of the top users by connection count is provided.

Report ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/Identity Management/

Top N Attacker Details

This report displays the priority, attacker zone name, attacker address, and the count of attack events (the category significance starts with Compromise or Hostile). The query uses the sum of the aggregated event count instead of counting the EventID so that attackers are not split by the attack type.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attackers/Top and Bottom Attackers/

Top Attacker Ports

This report displays the transport protocol, attacker port, and the count of attack events (the category significance starts with Compromise or Hostile).


Attacker Counts By Target

This report displays the attacker zone name, attacker address, the event name, and the count of attack events (the category significance starts with Compromise or Hostile), for the target zone and address specified in the parameters.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attackers/Attacker Counts/

Denied Inbound Connections per Hour

This report shows a summary of the denied inbound traffic per hour. A chart shows the total number of denied connections per hour for the previous day (by default). A table shows the connection count per hour grouped by source zone.





Top Attackers This report displays a chart of the attacker zone name, attacker address, and the count of events where the category significance starts with Compromise or Hostile.


Bottom N Attackers

This report displays a chart showing the attacker zone name, attacker address, and the count of events where the category significance starts with Compromise or Hostile, in ascending order of their event count.


Denied Outbound Connections by Address

This report shows a summary of the denied outbound traffic by local address. A chart shows the top 10 addresses with the highest denied connections count. The report lists all the addresses sorted by connection count.


Attacker Counts by ArcSight Priority

This report displays a table with the priority, attacker zone name, attacker address, and the count of attack events (the category significance starts with Compromise or Hostile).


Denied Inbound Connections by Address

This report shows a summary of the denied inbound traffic by foreign address. A chart shows the top 10 addresses with the highest denied connections count. The report lists all the addresses sorted by connection count.


Top Alert Sources

This report shows the top IDS and IPS alert sources per day. A chart shows the top 10 IDS and IPS alert source IP addresses. A table shows the top alert source IP addresses and zones, as well as the device vendor and product of the reporting device.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attackers/By Device Type/IDS/

Attacker Port Counts

This report displays the attacker port, event name, and the count of attack events (where the category significance starts with Compromise or Hostile).


Top N Attack Sources

This report displays the attacker zone name and the count of attack events (where the category significance starts with Compromise or Hostile).





Attacker Counts by Device

This report displays a table with the device zone name, device address, attacker zone name, attacker address, and the count of attacker events (the category significance starts with Compromise or Hostile).


Attacker Counts by Target Port

This report displays the target port, attacker zone name, attacker address, and the count of attack events (where the category significance starts with Compromise or Hostile).


Bottom N Attack Sources

This report displays the attacker zone name and a sum of the count of attack events (where the category significance starts with Compromise or Hostile).


Denied Inbound Connections by Port

This report shows a summary of the denied inbound traffic by destination port. A chart shows the top 10 ports with the highest denied connections count. A reports lists all the ports sorted by connection count.


Library - Correlation Resources

Traffic From Dark Address Space

This rule detects traffic originating from the Dark address space and adds the target address to the Hit active list.

Rule ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Attackers/Traffic Anomalies/

Probable Successful Attack - Repetitive Exploit Events

This rule detects a repetitive exploit attempt by the same attacker to the same target. The rule monitors events categorized as exploits coming from an attacker that is not on the trusted attackers active list. The rule triggers when three events occur within two minutes. On the first threshold, the agent severity is set to high, the category significance is set to Hostile, and the category outcome is set to Attempt.

Rule ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Attackers/Successful Attacks/




Brute Force Logins

This rule detects non-application brute force login attempts. The rule looks for occurrences of login attempts or failures from sources that are not listed on a trusted active list. The rule triggers after five occurrences within two minutes. On the first threshold, a correlation event is triggered that is caught by the Compromise - Attempt rule, which adds the attacker address to the Suspicious active list. The conditions require that the attacker address and zone are present, and that the generator ID (the rule Resource ID) is not the same as this rule's generator ID.

Rule ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Attackers/Attempts/

Probable Successful Attack - System Configuration

This rule detects modifications in operating system configuration. It correlates two events: System_config, which monitors any successful modification of an operating system and Attack_configuration, which monitors configuration modifications that are categorized as hostile or informational warning. The rule triggers when the Attack_configuration event ends before the System_config event ( that is, whenever a modification of a system configuration is due to an attack). The rule does not trigger if an attacker is listed on a trusted list. On the first event, the attacker is added to the Hostile list and the target is added to the Compromised list. This rule is triggered by operating systems.


Suspicious Activity - Packet Manipulation

This rule detects any suspicious traffic anomaly. The rule triggers when three suspicious events occur within two minutes. On the first threshold, the attacker address is added to the Hostile active list.

Rule ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Attackers/Suspicious/




Probable Successful Attack - Exploit

This rule detects an exploit on a specific resource. The rule correlates two events: Buffer_Overflow, which monitors any exploit attempt and Service_Down, which monitors successful stop or deletion of a database, service or application. The rule triggers when the Buffer_Overflow event ends before the Service_Down event (whenever a database, a service, or an application is stopped or deleted because of a Buffer_Overflow). The rule does not trigger if the attacker is listed on a trusted list. On the first event, the attacker is added to the Hostile list and the target is added to the Compromised list. This rule is triggered by applications, services or databases.


High Number of IDS Alerts for Backdoor

This rule detects backdoor alerts from Intrusion Detection Systems (IDS). The rule triggers when 20 events from the same device occur within two minutes.

Rule ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Attackers/Traffic Anomalies/

Firewall - Pass After Repetitive Blocks

This rule detects an attacker successfully passing through a firewall after having been blocked several times. The rule triggers when an attacker that belongs to an untrusted active list or the Repetitive Firewall Block List active list succeeds in going through the firewall. On the first event, the attacker address is added to the Suspicious List active list.

Rule ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Attackers/Traffic Anomalies/Firewall/

Firewall - Repetitive Block - In Progress

This rule detects an attacker being repetitively blocked by the firewall. The rule monitors failure access. The rule triggers when 10 events occur within three minutes from the same attacker. On the first threshold, the attacker address is added to the Repetitive firewall block list.





Multi Host Application Brute Force Logins

This rule detects brute force login attempts from different hosts using the same user name. It looks for occurrences of login attempt or failure from sources not listed in a trusted active list. The rule triggers after five occurrences from different hosts using the same user name within two minutes. On the first threshold, a correlation event is triggered that is caught by the Compromise - Attempt rule, which adds the attacker address to the Suspicious active list. The conditions require that the attacker address and zone are present, and that the generator ID (the rule Resource ID) is not the same as this rule's generator ID.


Probable Successful Attack - DoS

This rule detects a DoS attack against a specific service. The rule correlates two events: Attack_DoS, which is an attempt to a DoS attack, and Service, which occurs whenever an application is stopped or deleted, or a communication failure occurs. The rule triggers when the Attack_DoS event ends before the Service event (whenever an application is stopped or deleted, or a communication failure occurs due to a DoS attack). The rule does not trigger if the attacker is listed on a trusted active list. The rule does not trigger if the attacker is already on the Infiltrators List, or if the target is already on the Hit List or Compromised List. On the first threshold, a correlation event with the categories Significance = Compromise and Outcome = Success is set.


Windows Account Locked Out Multiple Times

This rule detects Microsoft Windows user account locked out events (Security:644). The rule triggers if the Locked Count for that user account in the Windows Locked Out Accounts active list is equal or greater than five. On the first event, the category significance is set to Informational/Warning.





Firewall - High Volume Accepts

This rule monitors the moving average of accepts per zone. The rule triggers when the monitoring threshold drastically changes (50%). The monitoring threshold and the moving average parameters are determined by the Moving Average dashboard for the firewall accept. This rule triggers when there is a 50% change in firewall accepts.


Application Brute Force Logins

This rule detects application brute force login attempts with the same user name from the same attacker. It looks for occurrences of login attempts or failure from sources not listed on a trusted active list. The rule triggers after five occurrences from the same attacker within two minutes. On the first threshold, a correlation event is triggered that is caught by the Compromise - Attempt rule, which adds the attacker address to the Suspicious active list. The conditions require that the attacker address and zone are present, and that the generator ID (the Resource ID in the rule) is not the same as the generator ID for this rule.


Multiple Login Attempts to Locked Windows Account

This rule detects Microsoft Windows login attempt events targeting locked out accounts (Security:531). The rule triggers when five events originating from the same host and targeting the same account occur within two minutes. On the first threshold, the category significance is set to Informational/Warning.


Notify on Successful Attack

This rule detects successful attacks. This rule looks for high priority (>= 8) successful attacks for which the attacker is not in the Attackers/Trusted List. This rule only requires one such event, and the time frame is set to 10 minutes. After this rule is triggered, a notification is sent to the CERT team. The action to create a new case is available, but this action is disabled by default.

Rule ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Attackers/




Suspicious Communication From Attacked Target

This rule detects suspicious communication from an attacked target. The rule triggers when the attacker address and zone is on a compromised target or untrusted attacker active list, and the attacker translated address and zone are on the Compromised target active list; or whenever the target address and zone is in the hostile or suspicious attacker active list. On the first event, agent severity is set to high and the attacker address is added to the Suspicious active list.


Suspicious Activity - Excess Suspicious Activity

This rule detects an excessive number of suspicious events between the same attacker/object pair. The rule triggers when four suspicious events occur within two minutes. On the first event, the attacker address is added to the Suspicious active list.


Attack From Suspicious Source

This rule detects attacks coming from a source categorized as suspicious or untrusted and does not belong to Attackers/Trusted List. The rule triggers when an event originating from a source belonging to a suspicious or untrusted active list but not to the Attackers/Trusted List has a category significance of hostile and compromise. On the first event, the source address is added to the Hostile active list and the event severity is set to high.


Probable Successful Attack - Probable Redirect Attack

This rule detects an exploit on a specific resource. It correlates two events: Attack_Redirection, which monitors any redirection attempt, and Attacks, which looks for recon, hostile, compromise, or suspicious events. The rule triggers when the Attack_Redirect event ends before the Attack event and the target is redirected to attacker zone (whenever there is a redirection before an attack). The rule does not trigger if the attacker is listed on a trusted list. On the first event, the attacker is added to the hostile list and the target to the comprised list.





Windows Account Created and Deleted within 1 Hour

This rule detects Microsoft Windows account deletion events (Security:630). The rule triggers if the user account that is being deleted is in the Windows Created Accounts active list (by default, the active list TTL is set to one hour). On the first event, the user account is removed from the Windows Created Accounts active list and the category significance is set to Suspicious.


Probable Successful Attack - Information Leak

This rule detects information leaks. The rule correlates two events: File_access, which monitors any attempt to information leak or successful information leak, and Access_success, which monitors successful access to a file. The rule triggers when the File_access event ends before the Access_success event (whenever a file is stolen and then accessed). The rule does not trigger if the attacker is on a trusted list. On the first event, the attacker is added to the Hostile list and the target to the Hit list.


Probable Successful Attack - Execute

This rule detects creation, execution, or start of a specific resource. The rule correlates two events: Execute, which monitors successful resource starts, service creation or execution and file creation, and Execute_attack, which occurs whenever there is an attempt to execute a command on an operating system, service, or application. The rule triggers when the Execute_Attack event ends before the Execute event (that is, when a resource is created, executed, or started because of a script execution). The rule does not trigger if the attacker is listed on a trusted list. On the first event, the attacker is added to the Hostile list and the target is added to the Compromised list. This rule is triggered by applications, services, or operating systems.





Suspicious Activity - Suspicious File Activity

This rule detects any failure that occurs with files between the same attacker/target pair. The rule triggers when four suspicious events occur within two minutes. On the first event, the attacker address is added to the Suspicious active list.


Probable Attack - Script Attack

This rule detects multiple executions of scripts, (HTTP, CGI, and so on) that have the same event name, attacker address, and target address within a short period of time. The rule monitors any attempts to start or execute a script that target an application, a service, or an operating system. The rule triggers when 10 events occur within one minute with the same event name, attacker address, and target address. On the first threshold, the attacker address is added to the Hostile active list and the target address is added to the Hit active list. Note: This rule does not trigger when running in Turbo Mode Fastest.


Probable Successful Attack - Brute Force

This rule detects brute force attack events and correlates it with a successful authentication event where the attack source and attacked target are the same, using the same target user ID. The rule triggers when five events occur within two minutes with the same attacker address and target address. On the first threshold, the user name is added to the Compromised User Accounts active list, and a correlation event is triggered that will be processed by the Compromise - Success rule. Note: This rule does not trigger when running in Turbo Mode Fastest.


Multiple Windows Logins by Same User

This rule detects Microsoft Windows successful user login events. The rule triggers if the login count for that user in the Windows Login Count active list is equal or greater than five (by default, the TTL for the active list is one hour). On the first event, the category significance is set to Informational/Warning.





Library Resources

Suspicious List This resource has no description. Active List ArcSight System/Threat Tracking

Hostile List This resource has no description. Active List ArcSight System/Threat Tracking

Hit List This resource has no description. Active List ArcSight System/Targets

Compromised List

This resource has no description. Active List ArcSight System/Threat Tracking

Compromised User Accounts

This resource has no description. Active List ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Targets/

Event-based Rule Exclusions

This active list stores event information that is used to exclude specific events from specific systems to other specific systems that have been determined to be not relevant to the rules that would otherwise trigger on these events.

Active List ArcSight System/Tuning

User-based Rule Exclusions

This active list contains target user information for specific users that are excluded from certain rule conditions where the rule tracks user activity.


Windows Locked Out Accounts

This active list stores the user ID, the user name, and the number of times a Windows account has been locked out. The Windows Account Locked Out rule adds user accounts to the list (or increments the count if the user account is already in the list). The TTL is set to one hour by default.

Active List ArcSight Foundation/Intrusion Monitoring/User Tracking/

Infiltrators List This resource has no description. Active List ArcSight System/Threat Tracking

Windows Login Count

This active list stores the user ID, the user name, and the current number of workstations a Windows user is logged in to. The Successful Windows Login rule increments the count and the Successful Windows Logout rule decrements the count. The TTL is set to one hour by default.


Trusted List This resource has no description. Active List ArcSight System/Attackers

Untrusted List This resource has no description. Active List ArcSight System/Attackers




Repetitive Firewall Block List

This resource has no description. Active List ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Attackers/

Windows Created Accounts

This active list stores the user ID and the user name of the Windows accounts that have been created. The Windows Account Created rule adds user accounts to the list and the Windows Account Created and Deleted within 1 Hour removes user accounts from the list. The TTL is set to one hour by default.


Protected This is a site asset category. Asset Category

Site Asset Categories/Address Spaces

Dark This is a site asset category. Asset Category


Attack Events This filter identifies events where the category significance starts with Compromise or Hostile.


Target User ID is NULL

This filter is designed for conditional expression variables. The filter identifies events in which the Target User ID is NULL.

Filter ArcSight Foundation/Common/Conditional Variable Filters/User/

External Source

This filter identifies events originating from outside the company network.

Filter ArcSight Foundation/Common/Network Filters/Boundary Filters/

Successful Windows Login

This filter detects successful Windows login events (Device Event Class ID = Security:528). The filter looks for the following types of logins: console (2), lock (7), and remote (10).

Filter ArcSight Foundation/Intrusion Monitoring/User Tracking/Operating System/

Outbound Events

This filter identifies events originating from inside the company network, targeting the outside network.

Filter ArcSight Foundation/Common/Network Filters/Location Filters/

Internal Source

This filter identifies events coming from inside the company network.



Internal Target This filter identifies events targeting inside the company network.


ArcSight Events

This resource has no description. Filter ArcSight System/Event Types




IDS -IPS Events



Inbound Events

This filter identifies events coming from the outside network targeting inside the company network.


External Target

This filter identifies events targeting the outside network.


Non-ArcSight Events


Top 10 Attackers

This report shows the top 10 attackers in a chart.

Focused Report

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attackers/By Device Type/IDS/

Attacker Counts by Target Port

This query identifies the target port, attacker zone name, attacker address, and the count of events where the target port is not null and the category significance starts with Compromise or Hostile.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attackers/Attacker Counts/

Top Attacker Ports

This query identifies the transport protocol, attacker port, and the count of events where the category significance starts with Compromise or Hostile.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attackers/By Port or Protocol/

Top 10 Attackers

This query identifies the attacker zone name, attacker address, and the count of events where the category significance starts with Compromise or Hostile. The query uses the sum of the aggregated event count instead of counting the EventID so that attackers are not split by the attack type.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attackers/Top and Bottom 10/

Bottom 10 Attackers

This query identifies the attacker zone name, attacker address, and the count of events where the category significance starts with Compromise or Hostile. The query uses the sum of the aggregated event count instead of counting the EventID so that attackers using different attacks are not split by the attacker address or the attack type.





Top Alert Sources

This query identifies the count of IDS and IPS alerts by source address, zone, device vendor, and device product.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attackers/By Device Type/IDS/

Denied Inbound Connections per Hour

This query identifies the count of denied inbound connections per hour for each source zone.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attackers/By Device Type/Firewall/

Top 10 Attacker Details

This query identifies the priority, attacker zone name, attacker address, and the count of events where the category significance starts with Compromise or Hostile. The query uses the sum of the aggregated event count instead of counting the EventID so that attackers are not split by the attack type.


Closed VPN Connection Durations

This query identifies the user ID and the minimum, average, maximum, and total durations (in minutes) for all user IDs with closes or terminated VPN sessions in the User VPN Sessions list.

Query ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/VPN/Connection Durations by User/

Attacker Port Counts

This query identifies the attacker port, event name, and the count of events where the category significance starts with Compromise or Hostile.


Denied Inbound Connections by Port

This query identifies the count of denied inbound connections by destination port.


Top 10 Attack Sources

This query identifies the attacker zone name and the count of events where the category significance starts with Compromise or Hostile. The query uses the sum of the aggregated event count instead of counting the EventID so that attacks from within a zone are not split by the attacker address or the attack type.


Attacker Counts by ArcSight Priority

This query identifies the priority, attacker zone name, attacker address, and the count of events where the category significance starts with Compromise or Hostile.





Users by Connection Count

This query identifies VPN events where the category behavior is /Access/Start, /Authentication/Verify, or /Authorization/Verify, with user information available, returning the user and host information, and the number of VPN connections.

Query ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/VPN/Connection Counts by User/

Denied Outbound Connections by Address

This query identifies the count of denied outbound connections by local address (source zone, address, and hostname).


Denied Outbound Connections by Port

This query identifies the count of denied outbound connections by destination port.


Attacker Counts By Target

This query identifies the attacker zone name, attacker address, the event name, and the count of events where the category significance starts with Compromise or Hostile for the target information given in the parameters.


Attacker Counts by Device

This query identifies the device zone name, device address, attacker zone name, attacker address, and the count of events where the category significance starts with Compromise or Hostile.


Top VPN Connection Durations

This query identifies the user ID and the average duration from the User VPN Sessions list, sorted by the top duration.


Denied Outbound Connections per Hour

This query identifies the count of denied outbound connections per hour for each source zone.


Denied Inbound Connections by Address

This query identifies the count of denied inbound connections by foreign address (source zone, address, and hostname).


Target Counts by Attacker Port

This query identifies the attacker port, target zone name, target address, and the count of events where the category significance starts with Compromise or Hostile.





Top Users by Connection Count

This query identifies VPN events where the category behavior is /Access/Start, /Authentication/Verify, or /Authorization/Verify, with user information available, returning the number of VPN connections per user.


Attacker Counts by Attacker Port

This query identifies the attacker port, attacker zone name, attacker address, and the count of events where the category significance starts with Compromise or Hostile.


Denied Outbound Connections per Hour (Chart)

This query identifies the count of denied outbound connections per hour.


Denied Inbound Connections per Hour (Chart)

This query identifies the count of denied inbound connections per hour.


Bottom 10 Attack Sources

This query identifies the attacker zone name and the count of events where the category significance starts with Compromise or Hostile. The query uses the sum of the aggregated event count instead of counting the EventID so that attacks from within a zone are not split by the attacker address or the attack type.


Users with Open VPN Connections

This query identifies the user ID and the VPN device for each user in the User VPN Sessions list where the user entry has not been terminated (logged out or timed out) or expired (by default).


User VPN Sessions

This session list tracks VPN user session starts and stops (or terminations), for purposes of tracking user session durations. The default expiration time for a session is five days, at which point the session is automatically considered terminated. If a majority of the sessions are showing a duration of five days, consider increasing the Entry Expiration Time. The sessions are maintained by the User VPN Session Started and User VPN Session Stopped rules.

Session List

ArcSight Foundation/Intrusion Monitoring/User Tracking/VPN/




Business Impact AnalysisThe Business Impact Analysis resources provide information about which business areas are the victims of the most attack activity.

DevicesThe following device types can supply events that apply to the Business Impact Analysis resource group:

Firewalls



Operating systems

ConfigurationThe Business Impact Analysis resource group requires the following configuration for your environment:

Categorize all assets that have a business role in your environment with the Business Role asset category.

For more information about categorizing assets, refer to “Categorizing Assets” on page 13.

ResourcesThe following table lists all the resources in the Business Impact Analysis resource group and any dependant resources.

Table 3-5 Resources that Support the Business Impact Analysis Group


Monitor Resources

Business Roles - Last Hour

This active channel shows events received during the last hour. The active channel includes a sliding window that displays the last hour of event data, showing events matching the Targeted Business Impact Analysis filter, with the further restriction that the target asset has a Business Role. The Business Role category is a sub-category of /All Asset Categories/Site Asset Categories/Business Impact Analysis and uses the Business Impact Analysis field set (End Time, Business Role, Data Role, Attacker Zone Name, Target Host Name, Category Significance, Category Outcome and Priority).

Active Channel

ArcSight Foundation/Intrusion Monitoring/Business Impact Analysis/Business Roles/



Business and Data Roles

This active channel shows events received during the last two hours. The active channel includes a sliding window that displays the last two hours of event data, showing an overview of hostile and compromise events related to assets within the Business Role, Data Role, or Classification categories. The events match the Targeted Business Impact Analysis filter. The Business Role, Data Role, and Classification categories are sub-categories of /All Asset Categories/Site Asset Categories/Business Impact Analysis. The active channel uses the Business Impact Analysis field set (End Time, Business Role, Data Role, Attacker Zone Name, Target Host Name, Category Significance, Category Outcome and Priority).

Active Channel

ArcSight Foundation/Intrusion Monitoring/Business Impact Analysis/

Business Roles - Today

This active channel shows events received since midnight today. The active channel includes a sliding window that displays event data since midnight, showing events matching the Targeted Business Impact Analysis filter, with the further restriction that the target asset has a Business Role. The Business Role category is a sub-category of /All Asset Categories/Site Asset Categories/Business Impact Analysis and uses the Business Impact Analysis field set (End Time, Business Role, Data Role, Attacker Zone Name, Target Host Name, Category Significance, Category Outcome and Priority).

Active Channel

ArcSight Foundation/Intrusion Monitoring/Business Impact Analysis/Business Roles/




Data Roles - Today

This active channel shows events received since midnight today. The active channel includes a sliding window that displays event data since midnight, showing events matching the Targeted Business Impact Analysis filter, with the further restriction that the target asset has a Data Role. The Data Role category is a sub-category of /All Asset Categories/Site Asset Categories/Business Impact Analysis and uses the Business Impact Analysis field set (End Time, Business Role, Data Role, Attacker Zone Name, Target Host Name, Category Significance, Category Outcome and Priority).

Active Channel

ArcSight Foundation/Intrusion Monitoring/Business Impact Analysis/Data Roles/

Data Roles - Last Hour

This active channel shows events received during the last hour. The active channel includes a sliding window that displays the last hour of event data, showing events matching the Targeted Business Impact Analysis filter, with the further restriction that the target asset has a Data Role. The Data Role category is a sub-category of /All Asset Categories/Site Asset Categories/Business Impact Analysis and uses the Business Impact Analysis field set (End Time, Business Role, Data Role, Attacker Zone Name, Target Host Name, Category Significance, Category Outcome and Priority).

Active Channel

ArcSight Foundation/Intrusion Monitoring/Business Impact Analysis/Data Roles/

Business Role - Successful Attacks

This report displays a table and a chart showing the role and the sum of the aggregated event count for events with target asset IDs in the All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Role asset category, that match the Attack Events filter and have a category outcome of Success.

Report ArcSight Foundation/Intrusion Monitoring/Executive Summaries/Business Roles/

Business Role - Attempted Attacks

This report shows the role and the sum of the aggregated event count for events with target asset IDs in the All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Role asset category, that match the Attack Events filter and have a category outcome that is not Success.

Report ArcSight Foundation/Intrusion Monitoring/Executive Summaries/Business Roles/




Library Resources

Data Role This is a site asset category. Asset Category

Site Asset Categories/Business Impact Analysis

Business Impact Analysis

This is a site asset category. Asset Category

Site Asset Categories

Business Role This is a site asset category. Asset Category



This field set includes: End Time, Business Role, Data Role, Attacker Zone Name, Target Host Name, Category Significance, Category Outcome, and Priority.

Field Set ArcSight Foundation/Intrusion Monitoring/Active Channels/

Attack Events This filter identifies events in which the category significance starts with Compromise or Hostile.


Targeted Business Impact Analysis

This filter detects hostile & compromise events related to target assets within the Business Role, Data Role, or Classification categories. The events match: Non-ArcSight Internal Event, Target asset has a Business Impact Analysis Category - Priority > 5, Category Significance StartsWith /Compromise or /Hostile. The Business Role, Data Role, and Classification categories are sub-categories of /All Asset Categories/Site Asset Categories/Business Impact Analysis.

Filter ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Targets/

ArcSight Internal Events


Non-ArcSight Internal Events


ASM Events This resource has no description. Filter ArcSight System/Event Types

Successful Attacks

This filter detects events that have a significance of Compromise or Hostile, and an outcome of Success.






Business Role - Successful Attacks

This query returns the role and the sum of the aggregated event count for events with Target Asset IDs in the /All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Role asset category, that match the Attack Events filter and have a category outcome of Success.

Query ArcSight Foundation/Intrusion Monitoring/Executive Summaries/Business Role/

Business Role - Attempted Attacks

This query returns the role and the sum of the aggregated event count for events with Target Asset IDs in the /All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Role asset category, that match the Attack Events filter and have a category outcome that is not Success.

Query ArcSight Foundation/Intrusion Monitoring/Executive Summaries/Business Role/




DoSThe DoS (Denial of Service) resources use moving average data monitors and categorized events with the technique set to /DoS to help determine when a DoS is taking place. The data monitors highlight high-volume activity that might result in a DoS. The categorized events (mostly from an IDS) can show DoS events that do not require exceeding bandwidth or processing limitations.

DevicesThe following device types can supply events that apply to the DoS resource group:

Firewalls



Operating systems

ConfigurationThe DoS resource group requires the following configuration for your environment:

Populate the /ArcSight System/Tuning/Event-based Rule Exclusions active list with the events that you do not want to trigger rules.

Enable the Inbound DoS Events trend. This trend is used by the Trend: Inbound DoS Events - Yesterday report.

ResourcesThe following table lists all the resources in the DoS resource group and any dependant resources.

Table 3-6 Resources that Support the DoS Group


Monitor Resources

DoS Channel This active channel shows events received during the last two hours and includes a sliding window that displays the last two hours of event data. The active channel uses its own filter to limit the view to Denial of Service related events where the Category Technique = /DoS, the Category Significance = /Compromise, the Category Outcome = /Success and the event MatchesFilter(Internal Target) .

Active Channel

ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/



Inbound Event Spikes

This dashboard includes several moving average data monitors that measure event activity looking for suspicious spikes in activity. Use these data monitors to determine if a Denial of Service attack is starting. The data monitors include activity reported by firewalls, activity related to the protected network, activity related to protected host, and activity related to the services on the protected network.

Dashboard ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/DoS/

Trend: Inbound DoS Events - Yesterday

This report displays the target zones and the associated number of DoS events per hour.

Report ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Attack Monitoring/DoS/

Inbound DoS Events - Yesterday

This report shows each target zone with the counts of the DoS events separated by service. A detailed table follows a chart, with the DoS event counts for each zone subtotaled for each zone, with a total for all zones at the end.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/DoS/


Possible DoS on Hosts

This rule detects two conditions: a spike in events detected by the Inbound Event Spikes for Hosts data monitor, and an event describing either failure to communicate with the host mentioned in the first event or an event describing a host shut down. The rule detects two such events within three minutes. This aggregation is used to keep the rule from triggering too often if a host reboots or restarts its affected service quickly. On the first event, the rule triggers an event describing a successful Denial of Service compromise on the affected host.

Rule ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/DoS/




Possible DoS on Network

This rule detects two conditions: a spike in events detected by the Inbound Event Spikes for Networks data monitor, and an event describing either failure to communicate with hosts on the network zone mentioned in the first event. The rule detects six such events within one minute with six different hosts. This aggregation is used to determine whether the spike is for a specific host on the network or a possible Denial of Service attack against the entire network. On the first threshold (six such events), the rule triggers an event describing a successful Denial of Service compromise on the affected network zone.


Possible DoS on Services

This rule detects two conditions: a spike in events detected by the Inbound Event Spikes for Services data monitor, and an event describing either failure to communicate with a service on a host mentioned in the first event or an event describing a service shutdown. The rule triggers when there are two such events within three minutes. This aggregation is used to keep the rule from triggering too often if a host reboots or restarts its affected service quickly. On the first event, the rule triggers an event describing a successful Denial of Service compromise on the affected network zone.


High Number of IDS Alerts for DoS

This rule detects Denial of Service (DoS) alerts from Intrusion Detection Systems (IDS). The rule triggers when 20 events from the same device occur within two minutes.


SYN Flood Detected by IDS or Firewall

This rule detects SYN flood alerts from Intrusion Detection Systems (IDS) or firewalls. The rule triggers when 20 events from the same device occur within two minutes.


Library Resources





Event-based Rule Exclusions

This active list stores event information that is used to exclude specific events from specific systems to other specific systems that have been determined to be not relevant to the rules that would otherwise fire on these events.


ArcSight System Administration

This is a system administration asset category.

Asset Category

/



Inbound Event Spikes for Hosts

This data monitor sums the count of events constrained by the Inbound Events for Hosts filter. The data monitor checks up to 10 hosts (zone/host, the 10 most frequently accessed hosts) over 30 second intervals over a period of a half-hour. It sends an alarm event if the moving average changes by 300%. This data monitor detects sudden increases in request or access activity related to the protected hosts. The alarm threshold is set high to detect significant spikes in the related event flow. The discard threshold is also set high (average 100 events per second) to filter out low event rates where an event spike of 10 or so packets with an average of one would be a false positive.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/DoS/Inbound Event Spikes/

Inbound Event Spikes for Services

This data monitor sums the count of events constrained by the Inbound Events for Service filter. The data monitor checks up to 10 services (zone/address/port, the 10 most accessed hosts/services) over 15 second intervals over a 15 minute period. It sends an alarm event if the moving average changes by 300%. This data monitor detects sudden increases in activity related to services on the protected network. The alarm threshold is set high to detect significant spikes in the related event flow. The discard threshold is also set high (100 events per second on average) to filter out low event rates where an event spike of 10 or so packets with an average of one would be a false positive.

Data Monitor





Inbound Event Spikes for Networks

This data monitor sums the count of events constrained by the Inbound Events for Networks filter. The data monitor checks up to 10 zones (the 10 most frequently accessed zones) over one minute intervals over a period of an hour. It sends an alarm event if the moving average changes by 300%. This data monitor detects sudden increases in request or access activity related to the protected network. The alarm threshold is set high to detect significant spikes in the related event flow. The discard threshold is also set high (average 100 events per second) to filter out low event rates where an event spike of 10 or so packets with an average of one would be a false positive.

Data Monitor


Firewall Accepts

This data monitor sums the count of events constrained by the Inbound Events for Networks filter. The data monitor checks up to five firewalls (the five firewalls reporting the most request or access activity) over five minute intervals over a period of an hour. It sends an alarm event if the moving average changes by 50%. This data monitor detects sudden increases in request or access activity related to the protected network.

Data Monitor





Firewall Accepts

This resource has no description. Filter ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/DoS/

Possible Attack Events

This filter retrieves events in which the category significance is Compromise, Hostile, or Suspicious. Note: There is no restriction on whether the target is an internal or external system.

Filter ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Attack Rates/

Inbound Events for Service

This filter retrieves request or access events targeting internal services, with the exception of trusted attackers (approved internal vulnerability scanners) and ArcSight administrative assets.

Filter ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/DoS/




Inbound Events for Networks

This filter retrieves request or access events targeting the network as a whole, with the exception of trusted attackers (approved internal vulnerability scanners) and ArcSight administrative assets.





Successful Inbound DoS Events - Trend Filter

This filter identifies events that are related to successful Denial of Service attacks on internal targets, with the exception of trusted attackers (approved internal vulnerability scanners). This filter is used to select events by a query for a trend on Denial of Service attacks affecting the network, but can also be used for filtering events for a standard event report (not a trend report).





IDS -IPS Events



Target Asset has Asset Name

This filter is used by some of the query variables to determine if an event has an entry for the Target Asset Name field.

Filter ArcSight Foundation/Common/Conditional Variable Filters/Asset/




Inbound Events for Hosts

This filter retrieves request or access events targeting internal hosts on the network as a whole, with the exception of trusted attackers (approved internal vulnerability scanners) and ArcSight administrative assets.









Firewall Events

This filter retrieves events with the Firewall category device group.

Filter ArcSight Foundation/Common/Device Class Filters/




Successful Inbound DoS Events Query on Trend

This query on the Inbound DoS Events trend returns the target zone name, the target asset name (or its IP address), the service name (Application Protocol Name/Transport Protocol Name: Target Port), a timestamp and sums the number of Denial of Service events against the services on that asset during the time-period (hourly), for the Trend: Inbound DoS Events - Yesterday report.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Attack Monitoring/DoS/

Successful Inbound DoS Events Last Hour

This query returns data for reporting the target zone name, the asset name (or IP address), the service name, and a summary of event counts. Note: The filter used is also used for a trend.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/DoS/

Successful Inbound DoS Events - Trend

This query returns data for reporting the target zone name, the asset name (or IP address), the service name and a summary of event counts. This data is used to populate the Inbound DoS Events trend.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Attack Monitoring/DoS/Trend Queries/

Inbound DoS Events

This trend contains data selected by the Successful Inbound DoS Events - Trend query, which selects the day, the service (a variable based on the service name or application protocol, the transport protocol, and the port such as HTML/TCP:80), the TargetAssetName (a variable using the host name, if available, or the IP address), and sums the aggregated event count. Note: This trend is not enabled by default.

Trend ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Attack Monitoring/DoS/




Environment StateThe Environment State resources provide information about activity that reflects the state of the overall network, and provide details about applications, operating systems and services.

DevicesThe following device types can supply events that apply to the Environment State resource group:

Firewalls



Operating systems

ResourcesThe following table lists all the resources in the Environment State resource group and any dependant resources.

Table 3-7 Resources that Support the Environment State Group


Monitor Resources

Application Overview

This active channel shows events received during the last two hours. The active channel includes a sliding window that displays the last two hours of event data. The channel uses two filters to limit the view to application related events, non-ArcSight internal events, and events for internal applications excluding services.

Active Channel

ArcSight Foundation/Intrusion Monitoring/Environment State/

Service Overview

This active channel shows events received during the last two hours. The active channel includes a sliding window that displays the last two hours of event data. The active channel uses two filters to limit the view to service related events, non-ArcSight internal events, and events for internal services.

Active Channel




Operating System Overview

This active channel shows events received during the last two hours. The active channel includes a sliding window that displays the last two hours of event data. The channel uses two filters to limit the view to operating system related events, non-ArcSight internal events, and events for internal operating systems.

Active Channel


Current Environment Status Overview

This dashboard shows an overview of the current environment based on application events, operating system events, and service events. There are two data monitors for each area, a moving average data monitor and a top 10 events data monitor. Use this dashboard to view changes in network activity and see the most frequent events.

Dashboard ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Environment State/

Trend: Top Application Status Events over the Last 24 Hours

This report shows each target zone with a trend of the event counts separated by application. A detailed table shows each application and host in descending order by the event counts.

Report ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Environment State/Application/

Trend: Environment Status Events - Yesterday

This report displays four 3D stacked bar charts. The first chart shows each target zone with the event count trend for the network. The remaining charts show the application, operating system, or service event trends separated by zones.

Report ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Environment State/

Environment Status Events over the Last 24 Hours

This report displays several 3D stacked bar charts. The first chart shows each target zone with the event counts for the network. The remaining charts show the application, operating system, or service events separated by zones.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Environment State/

Trend: Top OS Status Events over the Last 24 Hours

This report shows each target zone with a trend of the event counts separated by operating system. A detailed table shows each OS and host in descending order by the event counts.

Report ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Environment State/Operating System/

Top Service Status Events over the Last 24 Hours

This report shows the service status event counts by application. A detailed table shows each service and host in descending order by the event counts.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Environment State/Service/




Top OS Status Events over the Last 24 Hours

This report shows the OS status event counts by operating system. A detailed table shows each operating system and host in descending order by the event counts.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Environment State/Operating System/

Top Application Status Events over the Last 24 Hours

This report shows the application status event counts by application. A detailed table shows each application and host in descending order by the event counts.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Environment State/Application/

Trend: Top Service Status Events over the Last 24 Hours

This report shows each target zone with a trend of the event counts separated by service. A detailed table shows each service and host in descending order by the event counts.

Report ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Environment State/Service/

Library Resources



Operating System



Service Event Counts

This data monitor sums the count of events constrained by the Events for Internal Services filter. The data monitor checks up to 20 Category Objects (the 20 most frequent events related to that object) over five minute intervals over a two hour period. It sends an alarm event if the moving average changes by 50%. This data monitor detects sudden increases or decreases in activity related to services on the protected network.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Environment State/Current Application Status Overview/

Top 10 Application Events

This data monitor shows events constrained by the Events for Internal Applications excluding services filter. The data monitor checks 1,000 distinct events in five minute intervals over the period of an hour.

Data Monitor


Top 10 Service Events

This data monitor displays events constrained by the Events for Internal Services filter. The data monitor checks 1,000 distinct events in five minute intervals over the period of an hour.

Data Monitor





Application Event Counts

This data monitor sums the count of events constrained by the Events for Internal Applications excluding services filter. The data monitor checks up to 20 Category Objects/Category Device Groups (the 20 most frequent events related to that object/device) over five minute intervals over a two hour period. It sends an alarm event if the moving average changes by 50%. This data monitor detects sudden increases or decreases in activity related to applications on the protected network.

Data Monitor


Operating Systems Event Counts

This data monitor sums the count of events constrained by the Events for Internal Operating Systems filter. The data monitor checks up to 20 Category Objects/Category Device Groups (the 20 most frequent events related to that object/device) over five minute intervals over a two hour period. It sends an alarm event if the moving average changes by 50%. This data monitor detects sudden increases or decreases in activity related to operating systems on the protected network.

Data Monitor


Top 10 Operating System Events

This data monitor shows events constrained by the Events for Internal Operating Systems filter. The data monitor checks 1,000 distinct events in five minute intervals over the period of an hour.

Data Monitor


Status Overview

This field set includes: End Time, Name, Category Object, Category Device Group, Attacker Target, Priority, Device Vendor, and Device Product.








Events for Internal Applications excluding services

This filter identifies events that are not ArcSight internal events and that are related to an internal destination. The events are further limited to being in the Application category device group or being a Category Object of /Host/Application, but not a Category Object of /Host/Application/Service.

Filter ArcSight Foundation/Intrusion Monitoring/Environment State/

Target Asset has OS Categorization

This filter identifies if the target in an event has an Asset Category within /Site Asset Categories/Operating System.


Target Object starts with Host Application

This filter identifies if an event Category Object is within /Host/Application.

Filter ArcSight Foundation/Common/Conditional Variable Filters/Categories/

















Events for Internal Services

This filter identifies events that are not ArcSight internal events and that are related to an internal destination. The events are further limited to having a port set or being a Category Object of /Host/Application/Service.








Events for Internal Operating Systems

This filter identifies events that are not ArcSight internal events and that are related to an internal destination. The events are further limited to being in the Category Device Group /Operating System or being a Category Object of /Host/Operating System.


Top Service Status Events on Trend

This query returns the target zone name, the trend type name (dvLabelName), and the time and sums the number of events for that zone in the time-range for the Top Service Status Events over the Last 24 Hours report.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Environment State/Service/

Top Service Status Events over the Last 24 Hours (Chart Query)

This query returns the data for reporting the target zone name, service name (a variable field), and a summary of the event counts for overview information in a report (a chart). This query uses the Events for Internal Services filter to limit events to those related to services.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Environment State/Service/

Top Status Events on Trend

This query returns the target zone name, the trend type (application, operating system, service), the time, and sums the number of events for that zone in the time-range for the Environment Status Events - Yesterday report.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Environment State/Application, OS and Service/

Top OS Status Events over the Last 24 Hours

This query returns the data for reporting the target zone name, operating system name (a variable field), the target asset name (another variable field), and a summary of the event counts for detailed information in a report (a table). This query uses the Events for Internal Operating Systems filter to limit events to those related to Operating Systems.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Environment State/Operating System/

Top Application Status Events on Trend

This query returns the target zone name, the trend type name (dvLabelName), the time, and sums the number of events for that zone in the time-range for the Top Application Status Events over the Last 24 Hours report.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Environment State/Application/




Environment Status Events - Trend

This query detects the data for reporting the target zone name, the time (expressed within a variable), the service, operating system or application name (another variable field), and a summary of the event counts for overview information to populate the trend Environment Status Events. This query uses the Events for Internal Operating Systems, Events for Internal Applications excluding services and Events for Internal Services filters to limit events to those related to the network environment state.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Environment State/Application, OS and Service/Trend Queries/

Top Application Status Events over the Last 24 Hours

This query returns the data for reporting the target zone name, application name (a variable field), the target asset name (another variable field), and a summary of the event counts for detailed information in a report (a table). This query uses the Events for Internal Applications excluding services filter to limit events to those related to applications.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Environment State/Application/

Top Operating System Status Events on Trend

This query returns the target zone name, the trend type name (dvLabelName), the time, and sums the number of events for that zone in the time-range for the Top OS Status Events over the Last 24 Hours report.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Environment State/Operating System/

Top Service Status Events over the Last 24 Hours

This query returns the data for reporting the target zone name, service name (a variable field), the target asset name (another variable field), and a summary of the event counts for detailed information in a report (a table). This query uses the Events for Internal Services filter to limit events to those related to services.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Environment State/Service/




Environment Status Events over the Last 24 Hours (Chart Query)

This query returns the data for reporting the target zone name, the target asset name (a variable field), and a summary of the event counts for overview information in a report (a chart). This query uses the Events for Internal Operating Systems, Events for Internal Applications excluding services and Events for Internal Services filters to limit events to those related to the network environment state.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Environment State/

Top Application Status Events over the Last 24 Hours (Chart Query)

This query returns the data for reporting the target zone name, application name (a variable field), and a summary of the event counts for overview information in a report (a chart). This query uses the Events for Internal Applications excluding services filter to limit events to those related to applications.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Environment State/Application/

Top OS Status Events over the Last 24 Hours (Chart Query)

This query returns the data for reporting the target zone name, operating system name (a variable field), and a summary of the event counts for overview information in a report (a chart). This query uses the Events for Internal Operating Systems filter to limit events to those related to Operating Systems.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Environment State/Operating System/

Environment Status Events

This trend collects summary counts of events, storing the target zone, the time, the service, application or operating system names, and a marker field that can be used by queries to extract data for any one or all of the related areas. This trend is not enabled by default.

Trend ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Environment State/




Login TrackingThe Login Tracking resources provide information about user logins.

DevicesThe following device types can supply events that apply to the Login Tracking resource group:

Firewalls



Operating systems

Identity management systems

VPNs

ConfigurationThe Login Tracking resource group requires the following configuration for your environment:

Populate the User-based Rule Exclusions active list with the users you want to exclude from certain rule conditions where the rule tracks user activity.

ResourcesThe following table lists all the resources in the Login Tracking resource group and any dependant resources.

Table 3-8 Resources that Support the Login Tracking Group


Monitor Resources

Network Login Overview

This dashboard shows an overview of logins on network devices. The dashboard displays the Last 10 Failed Login Events, Last 10 Successful Login Events, Login Results, and the Top 10 Users With Failed Logins data monitors.

Dashboard ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/

VPN Login Overview

This dashboard shows an overview of VPN logins. The dashboard displays the Last 10 Failed Login Events, Last 10 Successful Login Events, Login Results, and Top 10 Users With Failed Logins data monitors.




Identity Management Overview

This dashboard displays information reported by Identity Management devices, such as the top users by number of connections, and authentication failures by source and destination.


Firewall Login Overview

This dashboard shows an overview of firewall logins. The dashboard displays the Last 10 Failed Login Events, Last 10 Successful Login Events, Login Results, and Top 10 Users With Failed Logins data monitors.


Operating System Login Overview

This dashboard shows an overview of operating system logins. The dashboard displays the Last 10 Failed Login Events, Last 10 Successful Login Events, Login Results, and Top 10 Users With Failed Logins data monitors.


Login Event Audit

This report shows all the successful and failed login events in a table sorted chronologically.

Report ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/ Cross-Device/

Successful Logins by User

This reports shows authentication successes from login attempts by user. A chart shows the top users with successful login attempts. A table shows details of the successful login attempts grouped and sorted by user.


Device SNMP Authentication Failures

This report shows summaries of SNMP authentication failures by device or by user. A table details the failed user SNMP authentication attempts for the devices. Two charts give an overview of the users or devices with the most SNMP authentication failures. Use this report to help determine if SNMP accounts are targets of brute force attacks and which devices are exhibiting the most SNMP authentication failure activity.

Report ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/Network/

Failed Login Attempts

This report shows the count of authentication failures from login attempts by hour in a chart and the details of all the authentication failures in a table.





Failed Logins by Destination Address

This report shows authentication failures from login attempts by destination address. A chart shows the top 10 destination addresses with failed login attempts. A table shows the count of authentication failures by destination-source pair and by user.


Connection Durations by User

This report shows duration information about VPN connections for each user. A summary of the top VPN connection duration by user is provided. Details of the connection durations for each user are also provided, including minimum, average, maximum, and total connection minutes. Also included are details of connections that are currently open at the time the report is run. By default, this report shows user VPN duration information for the previous day.


Successful Logins by Destination Address

This report shows authentication successes from login attempts by destination address. A chart shows the top 10 destination addresses with successful login attempts. A table shows the count of authentication successes by destination-source pair and by user.


Windows Events

This report displays a table showing the event information, reported by any Microsoft operating system.

Report ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/Operating System/

Connection Counts by User

This report shows count information about connections for each user reported by Identity Management devices. A summary of the top users by connection count is provided.


Failed Logins by User

This reports shows authentication failures from login attempts by user. A chart shows the top 10 users with failed login attempts. A table shows the details of the failed login attempts grouped and sorted by user.


User Activity This report displays a table showing user activity information.

Report ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/




Failed Logins by Source Address

This report shows authentication failures from login attempts by source address. A chart shows the top 10 source addresses with failed login attempts. A table shows the count of authentication failures by source-destination pair and by user.


Successful Logins by Source Address

This report shows authentication successes from login attempts by source address. A chart shows the top 10 source addresses with successful login attempts. A table shows the count of authentication successes by source-destination pair and by user.


Login Errors by User

This report shows a summary of the operating system login errors by username. A chart shows the top 10 users with failed logins. A table shows details of the failed logins for each username (time, event name, source, destination).

Report ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/Operating System/

Top Hosts by Number of Connections

This report shows a summary of the number of connections by the top hosts in a chart. By default, the chart shows the number of connections by host for the previous day.



User Session (Administrative User) Stopped

This rule detects user session stop events reported by identity management devices, defined as an identity management access stop event with user ID and session information. The rule then updates the Identity Management's User Sessions list. This rule supports Cisco Secure ACS.

Rule ArcSight Foundation/Intrusion Monitoring/User Tracking/Identity Management/

User Session (Accounting User) Started

This rule detects user session start events reported by identity management devices, defined as an identity management access start event with user ID and session information. The rule then updates the Identity Management's User Sessions list. This rule supports Juniper Steel-Belted Radius.





Successful Windows Logout

This rule detects Microsoft Windows successful user logout events. On the first event, the Login Count in the Windows Login Count active list is decremented, and the device and agent severity is set to Low.

Rule ArcSight Foundation/Intrusion Monitoring/User Tracking/

Windows Account Locked Out

This rule detects Microsoft Windows user account locked out events (Security:644). On the first event, the user account is added in the Windows Locked Out Accounts active list, and the device and agent severity are set to Medium. If the user account is already in the active list, the Locked Count is incremented.


User Session (Normal User) Stopped

This rule detects user session stop events reported by identity management devices, defined as an identity management access stop event with user ID and session information. The rule then updates the Identity Management's User Sessions list. This rule supports ActivCard AAA Server Accounting and Cisco VPN products.


User Session (Accounting User) Stopped

This rule detects user session stop events reported by identity management devices, defined as an identity management access stop event with user ID and session information. The rule then updates the Identity Management's User Sessions list. This rule supports Juniper Steel-Belted Radius.



This rule detects Microsoft Windows successful user login events. On the first event, the user account is added to the Windows Login Count active list, and the device and agent severity is set to Low. If the user is already in the active list, the Login Count is incremented.


User Session (Administrative User) Started

This rule detects user session start events reported by identity management devices, defined as an identity management access start event with user ID and session information. The rule then updates the Identity Management's User Sessions list. This rule supports Cisco Secure ACS.





User VPN Session Stopped

This rule detects VPN user session stop (or terminate) events, defined as a VPN access stop event with user ID information. The rule then updates the User VPN Sessions list. This rule supports Cisco VPN products, Nokia Security Platform, and Nortel VPN products.

Rule ArcSight Foundation/Intrusion Monitoring/User Tracking/VPN/

Windows Account Created

This rule detects Microsoft Windows account creation events (Security:624). On the first event, the user account is added to the Windows Created Accounts active list, and the device and agent severity is set to Low.


User Session (Normal User) Started

This rule detects user session start events reported by identity management devices, defined as an identity management access start event with user ID and session information. The rule then updates the Identity Management's User Sessions list. This rule supports ActivCard AAA Server Accounting and Cisco VPN products.


User VPN Session Started

This rule detects VPN user session start events, defined as a VPN access start event with user ID information. It then updates the User VPN Sessions list. This rule supports Cisco VPN products, Nokia's Security Platform product and Nortel's VPN product.

Rule ArcSight Foundation/Intrusion Monitoring/User Tracking/VPN/

Library Resources

User-based Rule Exclusions

This active list contains target user information for specific users to be excluded from certain rule conditions where the rule tracks user activity.


Windows Locked Out Accounts

This active list stores the user ID, the user name, and the number of times a Windows account has been locked out. The Windows Account Locked Out rule adds user accounts to the list (or increments the count if the user account is already in the list). The TTL is set to one hour by default.





Windows Login Count

This active list stores the user ID, the user name, and the current number of workstations a Windows user is logged in to. The Successful Windows Login rule increments the count and the Successful Windows Logout rule decrements the count. The TTL is set to one hour by default.


Windows Created Accounts

This active list stores the user ID and the user name of the Windows accounts that have been created. The Windows Account Created rule adds user accounts to the list and the Windows Account Created and Deleted within 1 Hour rule removes user accounts from the list. The TTL is set to one hour by default.


Last 10 Failed Login Events

This data monitor shows the last 10 failed firewall logins.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/Firewall/

Top Users by Login Activity

This top data monitor shows the users with the most network login activity within the last 60 minutes.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/Network/



Data Monitor




Data Monitor


Last 10 Successful Login Events

This data monitor shows the last 10 successful firewall logins.

Data Monitor


Authentication Failures by Source

This data monitor displays the source information of failed authentication attempts within five-minute intervals over the last hour as reported by Identity Management devices.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/Identity Management/Identity Management Overview/



Data Monitor


Top 10 Users With Failed Logins

This data monitor shows the top 10 users with failed firewall logins.

Data Monitor







Data Monitor


Login Results This data monitor shows the number of firewall logins (attempt, success, failure) in a pie chart.

Data Monitor



Data Monitor



Data Monitor




Data Monitor


Authentication Failures by Destination

This data monitor displays the destination information of failed authentication attempts within five-minute intervals over the last hour as reported by Identity Management devices.

Data Monitor




Data Monitor



Data Monitor




Data Monitor



This data monitor shows the top users by the number of connections in five-minute intervals for the last hour, as reported by Identity Management devices.

Data Monitor




Data Monitor




Data Monitor







Data Monitor




Data Monitor


ActingUser This variable returns the AttackerUser, if known, or the TargetUser, if that is the only user information available within the event. The format is the same as the AttackerUser or TargetUser variables.

Global Variable

ArcSight Foundation/Variables Library/User Information/

AttackerUser This variable displays the attacker user name. If the attacker user name is unavailable, the variable displays the attacker user ID. If neither field is available, the variable displays unknown.

Global Variable


TargetUser This variable displays the target user name. If the target user name is unavailable, the variable displays the target user ID. If neither field is available, the variable displays unknown.

Global Variable


Network Events

This filter identifies events with the category object starts with Network or the category device group starts with Network Equipment.


Successful Windows Logout

This filter identifies successful Windows logout events (Device Event Class ID = Security:538). The filter looks for the following types of logouts: console (2), lock (7), and remote (10).


VPN Events This filter identifies events with the category device group of VPN.


Login Events This filter identifies events with the category behavior of /Authentication/Verify.

Filter ArcSight Foundation/Intrusion Monitoring/User Tracking/

Identity Management Connection Start Events

This filter identifies events where an Identity Management system has seen an access start event with valid user information.

Filter ArcSight Foundation/Intrusion Monitoring/User Tracking/Identity Management/




Target User ID is NULL

This filter is designed for conditional expression variables. The filter identifies events in which the Target User ID is NULL.


Successful Login Events

This filter identifies events with the category behavior of /Authentication/Verify and the category outcome of Success.


Failed Login Events

This filter identifies events with the category behavior of /Authentication/Verify and the category outcome of Failure.


VPN Login Events

This filter identifies VPN events with the category behavior of /Authentication/Verify.

Filter ArcSight Foundation/Intrusion Monitoring/User Tracking/VPN/

Operating System Login Events

This filter identifies operating system events with the category behavior of /Authentication/Verify.


Failed Operating System Login Events

This filter identifies operating system events with the category behavior of /Authentication/Verify and the category outcome of Failure.



All Events Filter that matches all events. Filter ArcSight System/Core

Successful Operating System Login Events

This filter identifies operating system events with the category behavior of /Authentication/Verify and the category outcome of Success.


Failed Network Login Events

This filter identifies events with the category behavior of /Authentication/Verify, category outcome of Failure, and category object starting with Network.

Filter ArcSight Foundation/Intrusion Monitoring/User Tracking/Network/

Successful Network Login Events

This filter identifies events with the category behavior of /Authentication/Verify, category outcome of Success, and category object starting with Network.


LockedCount is NULL

This filter identifies events in which the LockedCount is NULL. The LockedCount variable is used in the Windows Account Locked Out rule and retrieves from the Windows Locked Out Accounts active list, the number of times a Windows account has been locked out.

Filter ArcSight Foundation/Intrusion Monitoring/Conditional Variable Filters/




Attacker User ID is NULL

This filter identifies events in which the Attacker User ID is NULL.


LoginCount is NULL or 0

This filter identifies events in which the LoginCount is NULL or equal to 0. LoginCount is a variable used in the Successful Windows Login and Successful Windows Logout rules and retrieves the number of successful Windows logins from the Windows Login Count active list.

Filter ArcSight Foundation/Intrusion Monitoring/Conditional Variable Filters/

Firewall Events

This filter retrieves events with the Firewall category device group.


Attacker User Name is NULL

This filter identifies events where the Attacker User Name is NULL.


Failed Firewall Login Events

This filter identifies firewall events with the category behavior of /Authentication/Verify and the category outcome of Failure.

Filter ArcSight Foundation/Intrusion Monitoring/User Tracking/Firewall/

Network Login Events

This filter identifies events with the category behavior of /Authentication/Verify and the category device group starting with Network.


Database Events

This filter identifies events with the category object /Host/Application/Database.

Filter ArcSight Foundation/Configuration Monitoring/Detail/Configuration Changes/Device/Database/


This filter detects successful Windows login events (Device Event Class ID = Security:528). The filter looks for the following types of logins: console (2), lock (7), and remote (10).


Firewall Login Events

This filter identifies firewall events with the category behavior of /Authentication/Verify.


Successful VPN Login Events

This filter identifies VPN events with the category behavior of /Authentication/Verify and category outcome of Success.


Failed VPN Login Events

This filter identifies VPN events with the category behavior of /Authentication/Verify and category outcome of Failure.





Failed Identity Management Login Attempts

This filter identifies events where an authentication attempt failed.

Filter ArcSight Foundation/Intrusion Monitoring/User Tracking/Identity Management/

Attacker User Name and ID are NULL

This filter identifies events in which the Attacker User Name and Attacker User ID are NULL.


Identity Management Events

This filter identifies events in which the Category Device Group starts with Identity Management.


Operating System Events

This filter identifies events with the category device group of Operating System.






Target User Name is NULL

This filter identifies events where the Target User Name is NULL.


Successful Firewall Login Events

This filter identifies firewall events with the category behavior of /Authentication/Verify and the category outcome of Success.



This report shows authentication failures from login attempts to a firewall by source address. A chart shows the top 10 source addresses with failed login attempts. A table shows the count of authentication failures by source-destination pair and by user.

Focused Report



This report shows authentication successes from login attempts to a firewall by source address. A chart shows the top 10 source addresses with successful login attempts. A table shows the count of authentication successes by source-destination pair and by user.

Focused Report



This report shows the count of authentication failures from login attempts reported by identity management systems by hour in a chart and the details of all the authentication failures in a table.

Focused Report

ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/Identity Management/





This report shows a summary of the number of firewall connections by the top hosts in a chart. By default, the chart shows the number of connections by host for the previous day.

Focused Report




Focused Report



This report shows authentication successes from firewall login attempts by user. A chart shows the top 10 users with successful login attempts. A table shows details of the successful login attempts grouped and sorted by user.

Focused Report




Focused Report




Focused Report



This report shows authentication failures from firewall login attempts by user. A chart shows the top 10 users with failed login attempts. A table shows the details of the failed login attempts grouped and sorted by user.

Focused Report



This report shows authentication failures from login attempts to a firewall by destination address. A chart shows the top 10 destination addresses with failed login attempts. A table shows the count of authentication failures by destination-source pair and by user.

Focused Report







Focused Report


Login Event Audit

This report shows all the successful and failed database login events in a table sorted chronologically.

Focused Report

ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/Database/



Focused Report



This report shows authentication successes from login attempts to a firewall by destination address. A chart shows the top 10 destination addresses with successful login attempts. A table shows the count of authentication successes by destination-source pair and by user.

Focused Report



This report shows the count of authentication failures from login attempts reported by identity management systems by hour in a chart and the details of all the authentication failures in a table.

Focused Report

ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/Identity Management/



Focused Report




Focused Report







Focused Report




Focused Report




Focused Report




Focused Report




Focused Report




Focused Report







Focused Report




Focused Report


Login Event Audit


Focused Report




Focused Report


Login Event Audit


Focused Report




Focused Report




Focused Report







Focused Report


Login Event Audit


Focused Report




Focused Report


Login Event Audit


Focused Report




Focused Report




Focused Report




Focused Report







Focused Report




Focused Report




Focused Report


Login Event Audit

This query returns all the successful and failed login attempts. The query returns the source and destination addresses, hostnames, zones, user name, device group, and outcome.

Query ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/ Cross-Device/

Successful Logins by Source Address (Chart)

This query returns authentication successes events from login attempts.


User Activity This query returns events in which source user ID, source user name, destination user ID, or destination user name is not NULL.

Query ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/

Users with Open Connections

This query returns the user ID and the Identity Management device for each user in the User Sessions list where the user entry has not been terminated (logged out or timed out) or expired.

Query ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/Identity Management/

Failed Logins by Destination Address (Chart)

This query returns authentication failure events from login attempts, including the count of failed login attempts by destination address.





Windows Events

This query returns events reported by the Microsoft operating system.

Query ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/Operating System/

Users by Connection Count

This query identifies VPN events where the category behavior is /Access/Start, /Authentication/Verify, or /Authorization/Verify, with user information available, returning the user and host information, and the number of VPN connections.


Failed Login by User (Chart)

This query returns the count of failed login attempts per user.


Top Connection Durations

This query returns the user ID and average duration from the User Identity Management Sessions list and sorts them by the top duration.



This query returns all authentication failures from login attempts.


Successful Login by User

This query returns users with successful login attempts. The query returns the user name, source and destination addresses, hostnames, and zones.



This query identifies VPN events where Category Behavior is /Access/Start, /Authentication/Verify, or /Authorization/Verify, with user information available, returning the number of VPN connections per user.


Login Errors by User

This query returns operating system login errors. The query returns the user name, event name, source and destination addresses, hostnames, and zones.


Failed Login by User

This query returns users with failed login attempts. The query returns the user name, source and destination addresses, hostnames, zones, and the device group.





Login Errors by User (Chart)

This query returns the count of operating system login errors by username.


Successful Logins by Destination Address (Chart)

This query returns authentication success events from login attempts, including the count of failed login attempts by destination address.


Failed Logins by Source Address (Chart)

This query returns authentication failure events from login attempts, including the count of failed login attempts by source address.


Closed Connection Durations

This query returns the user ID and the minimum, average, maximum, and total durations (in minutes) for all user IDs with closed or terminated sessions in the User Sessions list.


Failed Login Attempts (Chart)

This query returns the count of authentication failures from login attempts by hour.



This query returns host information and the number of events in which the category behavior is /Access/Start and the category outcome is not Failure.

Query ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/Network/

SNMP Authentication Failures by Device

This query returns events with authentication or authorization failures using SNMP. The query returns the device information sorted by count, from highest to lowest.

Query ArcSight Foundation/Intrusion Monitoring/Detail/User Tracking/Network/Device SNMP Authentication Failures/

Device SNMP Authentication Failures by User

This query returns events with authentication or authorization failures using SNMP. The query returns user information sorted by count, from highest to lowest.


Failed Logins by Source-Destination Pair

This query returns authentication failure events from login attempts. The query returns the source zone, source address, source host name, destination zone, destination address, destination host name, user name, user ID, count of failed logins, and device group.





Successful Logins by Source-Destination Pair

This query returns authentication success events from login attempts.


Successful Login by User (Chart)

This query returns the count of successful login attempts per user.


Device SNMP Authentication Failures

This query returns events with authentication or authorization failures using SNMP.


User Sessions This session list tracks Identity Management user session starts and stops (or terminations). The default expiration time for a session is five days, at which point the session is automatically considered terminated. If a majority of the sessions are showing a duration of five days, increase the Entry Expiration Time. The sessions are maintained by the User Session (Identity Management) Started and User Session (Identity Management) Stopped rules.

Session List

ArcSight Foundation/Intrusion Monitoring/User Tracking/Identity Management/

User VPN Sessions

This session list tracks VPN user session starts and stops (or terminations), for purposes of tracking user session durations. The default expiration time for a session is five days, at which point the session is automatically considered terminated. If a majority of the sessions are showing a duration of five days, consider increasing the Entry Expiration Time. The sessions are maintained by the User VPN Session Started and User VPN Session Stopped rules.

Session List

ArcSight Foundation/Intrusion Monitoring/User Tracking/VPN/




ReconnaissanceThe Reconnaissance resources expand on the ArcSight Core reconnaissance rules, and provide insight into the different types of reconnaissance directed at the network or parts of the network. This content breaks down reconnaissance activity by type. Dashboards show what parts of the network are being scanned and how.

DevicesThe following device types can supply events that apply to the Reconnaissance resource group:

Firewalls



Operating systems

ConfigurationThe Reconnaissance resource group requires the following configuration for your environment:


Reconnaissance Activity—This trend collects a daily snapshot of events using the Reconnaissance Activity Trend query. The Scanning Activity by Business Role Trend report is based on this trend.

Reconnaissance Types Detected—This trend collects a daily snapshot of events. This data is used by the Top 10 Reconnaissance Types Detected trend.

Top 10 Reconnaissance Types Detected—This trend collects the top 10 reconnaissance event types per day from the Reconnaissance Types Detected trend. This data is used by the Reconnaissance Types Detected Trend report.



ResourcesThe following table lists all the resources in the Reconnaisance resource group and any dependant resources.

Table 3-9 Resources that Support the Reconnaissance Group


Monitor Resources

Reconnaissance Activity

This active channel shows reconnaissance events received during the last two hours. The active channel includes a sliding window that displays the last two hours of event data.

Active Channel

ArcSight Foundation/Intrusion Monitoring/Reconnaissance/

Reconnaissance in Progress

This dashboard displays the Top 10 Zones Scanned, the Last 10 Zones Scanned, the Last 10 Hosts Scanned, and the Last 10 Scanners data monitors to give an overview of the reconnaissance activity against the network.

Dashboard ArcSight Foundation/Intrusion Monitoring/Detail/Reconnaissance/

Reconnaissance Graph

This dashboard displays the Reconnaissance Graph data monitor to provide operators and analysts a view into how reconnaissance events are probing the network.

Dashboard ArcSight Foundation/Intrusion Monitoring/Detail/Reconnaissance/

Port Scanning Activity Trend

This report displays a chart showing the top transport protocol and target port pairs (Protocol - Port) by target zone over the last seven days based on summary data from the Port Scanning trend. The report also presents a table showing the daily summary of the top 20 prioritized event counts from each zone for the protocol - port pairs from the Port Scanning Daily Top 20 trend.

Report ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Reconnaissance/

Scanning Activity by Business Role Trend

This report displays a daily trend of scanning events related to business roles over the past seven days and a table giving a simple breakdown of the activity charted.




Reconnaissance Types Detected Trend

This report shows the daily event activity summary for the different reconnaissance types over the past seven days (based on ArcSight System rules with names beginning with Reconnaissance - and differentiated by the type names Distributed Host Port Scan, Distributed Network Host Scan, Multiple Host Scan, Network Service Scan, Script Scan, Stealthy Host Port Scan, and Vulnerability Scan). A table shows the daily breakdown and zone information charted. The Row Limit is set to 70 (top 10 * 7 days). To extend the time frame, change the row limit accordingly. Note: The Top 10 Reconnaissance Types Detected and the Reconnaissance Types Detected trends are disabled by default. This report does not show any results until these trends have been enabled and have become sufficiently populated.


Prioritized Scanning Activity by Zone

This report shows the numbers of events, by priority and target zone, over the past hour. A table shows the zones in order of highest event counts by the priority of the events (from highest priority to lowest).

Report ArcSight Foundation/Intrusion Monitoring/Detail/Reconnaissance/

Prioritized Scanning Activity by Business Role

This report shows the activity levels and priorities of reconnaissance events directed at assets within the various business role categories.


Scanning Activity by Zone Trend

This report shows the daily trend of the most frequent reconnaissance events and a daily prioritized breakdown of those events by zone over the last seven days. The report uses two separate queries, one for the table and a simpler one for the chart, on the Zone Scanning Events by Priority trend.





Reconnaissance Types Detected by Zone

This report presents a chart with the event activity over the past hour of the different reconnaissance types (based on ArcSight System rules with names beginning with Reconnaissance - and differentiated by the type names Distributed Host Port Scan, Distributed Network Host Scan, Multiple Host Scan, Network Service Scan, Script Scan, Stealthy Host Port Scan, and Vulnerability Scan) A table shows the breakdown and zone information charted.


Port Scanning Activity

This report presents a chart of the most frequently occurring events for transport protocol/target port pairs by zone. A table shows more data points for additional information beyond that presented in the chart.



Firewall - Host Port Scan

This rule looks for port scans on a host. The rule monitors failure access detected by a firewall. The rule triggers when three events occur within three minutes with the same attacker/target pair with different target ports each time. On the first threshold, the attacker address is added to the Reconnaissance active list and the target address is added to the Scanned active list.

Rule ArcSight Foundation/Intrusion Monitoring/Reconnaissance/

Firewall - Application Protocol Scan

This rule detects application protocol scans. The rule monitors failure access detected by a firewall. The rule triggers when three events occur within three minutes with the same attacker/target pair with different application protocols each time. On the first threshold, the attacker address is added to the Reconnaissance active list and the target address is added to the Scanned active list.





Attack from Source having Reconnaissance History

This rule detects attacks from sources that have already performed reconnaissance. This rule triggers when the attacker is in the Reconnaissance or Untrusted active list and the event has hostile or compromise significance. On the first event, the attacker is added to the Hostile active list.


Firewall - Network Port Scan

This rule looks for a network port scan. The rule monitors failure access detected by a firewall. The rule triggers when five events occur within three minutes with the same port for each attacker/target pair, but with different target addresses each time. On the first threshold, the attacker address is added to the Suspicious active list and the target address is added to the Scanned active list.


Library Resources

Hostile List This resource has no description. Active List ArcSight System/Threat Tracking




Reconnaissance List


Scanned List This resource has no description. Active List ArcSight System/Targets





Last 10 Hosts Scanned

This data monitor shows the target zone and address, along with the time, of the last 10 reconnaissance events, providing an overview of the most recent scanning activity against specific hosts.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Reconnaissance/Reconnaissance in Progress/




Top 10 Zones Scanned

This data monitor shows the target zone of the 10 most frequent reconnaissance events within the last hour, providing an overview of the most recent scanning activity against the network.

Data Monitor


Last 10 Zones Scanned

This data monitor shows the time and the target zone of the last 10 reconnaissance events, providing an overview of the most recent scanning activity against the network.

Data Monitor


Last 10 Scanners

This data monitor shows the attacker zone and address, along with the time, of the last 10 reconnaissance events to give an overview of the most recent scanning activity against the network.

Data Monitor


Reconnaissance Graph

This data monitor provides operators and analysts a view into how reconnaissance events are probing the network.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Reconnaissance/Reconnaisance Graph/

Not Correlated and Not Closed and Not Hidden


Reconnaissance Events by Target

This filter identifies events where the target address is provided and the event matches the Reconnaissance Events (Internal Targets) filter.

Filter ArcSight Foundation/Intrusion Monitoring/Reconnaissance/

Reconnaissance Events by Target Zone

This filter identifies events where the target zone is provided and the event matches the Reconnaissance Events (Internal Targets) filter.






Reconnaissance Events by Attacker

This filter identifies events where the attacker address is provided and the event matches the Reconnaissance Events (Internal Targets) filter.





Reconnaissance Events (Internal Targets)

This filter identifies events that match the .../Boundary Filters/Internal Target, .../Event Types/Not Correlated and Not Closed and Not Hidden, and .../Event Types/Non-ArcSight Internal Events filters and one or more conditions where the event name starts with Reconnaissance, the category significance is Recon or the category technique starts with Scan. This is the foundation filter for the other Reconnaissance filters: Reconnaissance Events by Attacker, Reconnaissance Events by Target, and Reconnaissance Events by Target Zone.





Zone Scanning Events

This query returns the target zone resource, the priority, and sums the aggregated event count of events for the chart and table in the Prioritized Scanning Activity by Zone report. The events are selected by the Reconnaissance Events by Target Zone filter.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Reconnaissance/

Top 10 Reconnaissance Types Detected on Trend

This query returns the top 10 reconnaissance event types per day from the Reconnaissance Types Detected trend.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Reconnaissance/

Reconnaissance Types Detected on Trend

This query returns the date, the target zone, the event name and the sum of the aggregated event count from the summary of the Top 10 Reconnaissance Types Detected trend for the Daily Breakdown of Reconnaissance Types Detected table in the Reconnaissance Types Detected Trend report.





Reconnaissance Types Detected

This query returns the target zone resource, reconnaissance type (event name), and sums the aggregated event count of events where the event name starts with Reconnaissance but not Reconnaissance - In Progress, matches the Reconnaissance Events (Internal Target) filter, and is a correlation event (event type = 2), for the Reconnaissance Types Detected by Zone report.


Ports Scanned This query returns the target zone resource, the transport protocol and target port pair as a variable (dvProtocol-Port), and sums the aggregated event count of events where the target port is provided and matching the Reconnaissance Events (Internal Target) filter for the table and chart in the Port Scanning Activity report.


Business Roles Scanned

This query returns the business role via a variable (dvBusinessRole), the priority, and sums the aggregated event count of events matching the Reconnaissance Events (Internal Target) filter targeting assets categorized by the /All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Role/ category.


Port Scanning Daily Top 20, Trend on Trend

This query returns the target zone resource, priority, transport protocol, target port, and sums the aggregated event count for the summary data from the Port Scanning trend to populate the Port Scanning Daily Top 20 trend.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Reconnaissance/Trend Queries/

Port Scanning Trend

This query returns the target zone resource, transport protocol, target port, priority, and sums the aggregated event count of events where the target port is provided and match the Reconnaissance Events (Internal Target) filter to populate the Port Scanning trend.





Zone Scanning Events by Priority Trend

This query returns the target zone resource, the priority, and sums the aggregated event counts of events selected by the Reconnaissance Events by Target Zone filter for the Zone Scanning Events by Priority trend.


Daily Port Scanning Activity on Trend

This query returns the date via a variable (dvDate), the target zone resource, the priority, the transport protocol, the target port, and sums the aggregated event count from the summary provided by the Port Scanning Daily Top 20 trend for the Daily Top 20 Protocol and Ports by Zone table in the Port Scanning Activity Trend report.


Reconnaissance Types Detected on Trend (Chart Query)

This query returns the date, the reconnaissance type (event name), and a sum of the aggregated event count from summary information in the Top 10 Reconnaissance Types Detected trend. This query provides data for the Daily Reconnaissance Types Detected chart in the Reconnaissance Types Detected Trend report.


Daily Port Scanning Activity on Trend (Chart Query)

This query returns the date via a variable (dvDate), the target zone resource, the priority, the transport protocol, the target port, and sums the aggregated event count from the summary provided by the Port Scanning trend for the Top 20 Protocol and Ports by Count from MM-DD-YYYY to MM-DD-YYY-HH:MM:SS chart in the Port Scanning Activity Trend report.


Reconnaissance Activity Trend

This query returns the target zone resource, the attacker zone resource, the category significance, category technique and sums the aggregated event count of events using the Reconnaissance Events by Target filter for the Reconnaissance Activity trend.





Reconnaissance Types Detected Trend

This query returns the target zone resource, event name, priority and sums the aggregated event count of event data for the Reconnaissance Types Detected trend. The events are filtered by the Reconnaissance Events (Internal Targets) filter, the event name starting with Reconnaissance but not the Reconnaissance - In Progress event.


Zone Scanning Activity on Trend

This query returns the date, the priority, the target zone resource, and sums the aggregated event count from the Zone Scanning Events by Priority trend for the Daily Breakdown of Zone Scanning Activity by Priority table in the Scanning Activity by Zone Trend report.


Daily Scanning Events by Business Role on Trend

This query returns the date, the business role via a variable (dvBusinessRole), and sums the aggregated event count of the data from the Reconnaissance Activity trend. This query provides both chart and table data for the Scanning Activity by Business Role Trend report.


Zone Scanning Activity on Trend (Chart Query)

This query returns the date, the target zone resource, and sums the aggregated event counts from the Zone Scanning Events by Priority trend to provide data for the Daily Zone Scanning Activity chart in the Scanning Activity by Zone Trend.


Port Scanning Daily Top 20

This trend provides a daily snapshot of the top events in the Port Scanning trend. Up to 20 events per day are collected for use as detailed daily information in the Port Scanning Activity trend. The Port Scanning trend collects the top events for the day and this trend follows up and collects summary information.

Trend ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Reconnaissance/




Reconnaissance Types Detected

This trend collects a daily snapshot of events using the Reconnaissance Types Detected Trend query. Up to 1000 events per day are collected to collect the most common reconnaissance types This data is used by the Top 10 Reconnaissance Types Detected trend. Note: This trend is not enabled by default.


Port Scanning This trend collects a daily snapshot of the top 1000 events in for use as detailed daily information in the Port Scanning Activity Trend report. The Port Scanning trend collects the top events for the day and the Port Scanning Daily Top 20 trend (a trend on this trend), follows up and collects summary information.


Zone Scanning Events by Priority

This trend collects a daily snapshot of events using the Zone Scanning Events by Priority Trend query. Up to 1000 events per day are collected. The data is used by the Scanning Activity by Zone Trend report.


Top 10 Reconnaissance Types Detected

This trend returns the top 10 reconnaissance event types per day from the Reconnaissance Types Detected trend. This data is used by the Reconnaissance Types Detected Trend report. Note: This trend is not enabled by default. It also depends on the Reconnaissance Types Detected trend, which is also not enabled by default.


Reconnaissance Activity

This trend collects a daily snapshot of events using the Reconnaissance Activity Trend query. Up to 1000 events per day to collect data for the Scanning Activity by Business Role trend. Note: This trend is not enabled by default.





Regulated SystemsThe Regulated Systems resources focus on events related to assets that have been categorized as one of the compliance requirement asset categories, such as HIPAA, Sarbanes-Oxley, and FIPS-199.

DevicesThe following device types can supply events that apply to the Regulated Systems resource group:

Firewalls



Operating systems

ConfigurationThe Regulated Systems resource group requires the following configuration for your environment:

Categorize all regulated systems in your environment with the Compliance Requirement or the Sarbanes-Oxley asset category.


ResourcesThe following table lists all the resources in the Regulated Systems resource group and any dependant resources.

Table 3-10 Resources that Support the Regulated Systems Group


Monitor Resources

Regulated Systems - By Host - Attacked

This report shows the target host name and the sum of the aggregated event count for events with target asset IDs in the /All Asset Categories/Site Asset Categories/Compliance Requirement asset category, that match the Attack Events filter.

Report ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Regulated Systems/

Regulated Systems - Count Vulnerabilities

This report shows the compliance requirement, asset name, and the count of vulnerabilities for assets in the /All Asset Categories/Site Asset Categories/Compliance Requirement asset category.




Regulated Systems - By Attack

This report displays the event name and the sum of the aggregated event count for events with target asset IDs in the /All Asset Categories/Site Asset Categories/Compliance Requirement asset category, that match the Attack Events filter.


Sarbanes-Oxley - Top 10 Targets

This report displays the target host name and the sum of the aggregated event count for events with target asset IDs in the /All Asset Categories/Site Asset Categories/Business Impact Analysis/Data Role/Reporting Requirement/Sarbanes-Oxley asset category, that match the Attack Events filter.

Report ArcSight Foundation/Intrusion Monitoring/Executive Summaries/Regulated Systems/

Library Resources

Compliance Requirement



Sarbanes-Oxley


Site Asset Categories/Business Impact Analysis/Data Role/Reporting Requirement




Regulated Systems - By Attack

This query returns the event name and the sum of the aggregated event count for events with Target Asset IDs in the /All Asset Categories/Site Asset Categories/Compliance Requirement asset category, that match the Attack Events filter.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Regulated Systems/

Sarbanes-Oxley - Top 10 Targets

This query returns the target Host name and the sum of the aggregated event count for events with target asset IDs in the /All Asset Categories/Site Asset Categories/Business Impact Analysis/Data Role/Reporting Requirement/Sarbanes-Oxley asset category, that match the Attack Events filter.

Query ArcSight Foundation/Intrusion Monitoring/Executive Summaries/Regulated Systems/




Regulated Systems - By Host - Attacked

This query returns the target host name and the sum of the aggregated event count for events with target asset IDs in the /All Asset Categories/Site Asset Categories/Compliance Requirement asset category, that match the Attack Events filter.


Regulated Systems - Count Vulnerabilities

This query returns the compliance requirement, asset name, and the count of vulnerabilities for assets in the /All Asset Categories/Site Asset Categories/Compliance Requirement asset category.





Resource AccessThe Resource Access resources focus on access events, broken down by resource types, such as (database, email, files, and so on) and track this access by user. The brute force resource activity is included here. There are session lists that track the duration of an access session by user, and the duration of access sessions that took place after a brute force login attack.

DevicesThe following device types can supply events that apply to the Resource Access resource group:

Firewalls



Operating systems

ConfigurationThe Resource Access resource group requires the following configuration for your environment:


Daily Top 10 Resource Access Trends—You can use this trend to generate a report.

Resource Access—The data from this trend is used by the Daily Top 10 Resource Access Trends trend.

ResourcesThe following table lists all the resources in the Resource Access resource group and any dependant resources.

Table 3-11 Resources that Support the Resource Access Group


Monitor Resources

Access Initiation Events

This active channel shows events received during the last two hours and includes a sliding window that displays the last two hours of event data. A selection of three filters restricts the events shown in the active channel only to those related to access initiation, authentication verification, or authorization verification for database, email, and file resources.

Active Channel

ArcSight Foundation/Intrusion Monitoring/Resource Access/



All Access and Authentication Events

This active channel shows events received during the last two hours and includes a sliding window that displays the last two hours of event data. A selection of three filters restricts the events shown in the active channel only to those related to access and authorization for any resource.

Active Channel


Access Termination Events

This active channel shows events received during the last two hours and includes a sliding window that displays the last two hours of event data. A selection of three filters restricts the events shown in the active channel only to those related to access termination for database, email, and file resources.

Active Channel


Resource Access Trend

This report displays unusual resource access attempt trends for each of the past seven days. The range of outcomes is failure, attempt, or success. An outcome of attempt means that there is not sufficient information to determine if the attempt succeeded. Note: An outcome of success means that there is enough information to know that the resource was accessed, but the access initiation does not fit in the normal access initiation pattern. The Resource Access trend is disabled by default.

Report ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Resource Access/

Brute Force Session Trends

This report shows trend information about active and closed resource access sessions after a successful brute force attack. The data for this report comes from the Brute Force Resource Access (keyed by target) session list.


Access Events by Database Resource

This report displays unusual database resource access attempts. The range of outcomes is failure, success, or attempt (there is not sufficient information to determine if the attempt succeeded). Note: An outcome of success means that there is enough information to know that the database resource was accessed, but the access initiation does not fit in the normal database access initiation pattern.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Resource Access/Reports on Access Events/




Brute Force Access Activity

This report displays information about active and closed resource access sessions after a successful brute force attack. The data for this report comes from the Brute Force Resource Access (keyed by target) session list.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Resource Access/Reports on Access Sessions/

Access Activity This report gives the details of active and closed resource access sessions based on session information in the Resource Access session list. The Resource Access session list contains an entry expiration of four days, so the report parameters are set to cover all the entries, up to the row limits set in the parameters.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Resource Access/Reports on Access Sessions/

Email Resource Access by Users

This report displays successful and unusual email resource access attempt information. The range of outcomes is failure, attempt, or success. An outcome of attempt means that there is not sufficient information to determine if the attempt succeeded. Note: An outcome of success means that there is enough information to know that the resource was accessed, but the access initiation did not fit in the normal access initiation pattern.


Database Resource Access by Users

This report displays successful database access and failed or attempted database access events. The range of outcomes is failure, success, or attempt (there is not sufficient information to determine if the attempt succeeded). Note: An outcome of success means that there is enough information to know that the resource was accessed, but the access initiation did not fit in the normal access initiation pattern.


Access Events by File Resource

This report displays unusual file access attempts. The range of outcomes is failure, attempt or success. An outcome of attempt means that there is not sufficient information to determine if the file access attempt succeeded. Note: An outcome of success means that there is enough information to know that the file was accessed, but the access did not fit in the normal pattern.





File Resource Access by Users

This report displays successful file access, and failed or attempted file access events. The range of outcomes is failure, success, or attempt. An outcome of attempt means that there is not sufficient information to determine if the attempt succeeded. An outcome of success means that there is enough information to know that the resource was accessed, but the access initiation does not fit in the normal access initiation pattern.


Resource Access by Users

This report displays successful access, and failed or attempted access events. The range of outcomes is failure, success, or attempt. An outcome of attempt means that there is not sufficient information to determine if the attempt succeeded. An outcome of success means that there is enough information to know that the resource is accessed, but the access initiation does not fit in the normal access initiation pattern.


Access Events by Email Resource

This report displays unusual email resource access attempts. The range of outcomes is failure, success, or attempt (there is not sufficient information to determine if the attempt succeeded). Note: An outcome of success means that there is enough information to know that the email resource was accessed, but the access initiation does not fit in the normal email access initiation pattern.


Access Events by Resource

This report displays unusual resource access attempts. The range of outcomes is failure, success, or attempt (there is not sufficient information to determine if the attempt succeeded). Note: An outcome of success means that there is enough information to know that the resource was accessed, but the access initiation does not fit in the normal access initiation pattern.





Daily Top 10 Resource Access Trends

This report displays unusual resource access attempt trends for the past seven days. The range of outcomes is failure, success, or attempt (there is not sufficient information to determine if the attempt succeeded). Note: Success means that there is enough information to know that the resource was accessed, but the access initiation does not fit in the normal access initiation pattern. The data for this report is collected from a trend on a trend. The first trend collects the raw trend data, at least two magnitudes more than the top 10, and the second trend picks out the top 10 for each day. The row limit is set to 70, which gives the top 10 events for the past seven days. To see the past 10 days, set the row limit to 100. Note: The Daily Top 10 Resource Access Trends is disabled by default. When you enable this trend, make sure you also enable the Resource Access base trend.



Resource Access Initiation

This rule detects resource access initiation events as defined by the Access Initiation Events filter and terminates the sessions in the Resource Access session list. The rule also sets the categoryDeviceGroup field to Security Information Manager and the categorySignificance to Informational.

Rule ArcSight Foundation/Intrusion Monitoring/Resource Access/

Resource Access Termination

This rule detects resource access termination events as defined by the Access Termination Events filter, and terminates the sessions in the Brute Force Resource Access and Resource Access session lists. The rule also sets the categoryDeviceGroup field to Security Information Manager and the categorySignificance to Informational.





Brute Force Resource Access Initiation

This rule detects brute force resource access initiation events (defined by the Access Initiation Events filter) and terminates the sessions in the Resource Access session list. The rule also sets the categoryDeviceGroup field to Security Information Manager and the categorySignificance to Informational.


Library Resources

Worm Infected Systems

This resource has no description. Active List ArcSight Foundation/Intrusion Monitoring/Worm Outbreak/


Resource Access

This field set shows the fields of interest when monitoring resource access events and includes the following fields: End Time, Name, Resource Type, User ID, User Name, Resource Zone Name, Resource Address, Device Vendor, Device Product, Access Outcome, Priority, Agent Name, Attacker Zone Name, Attacker Address. These fields are aliased by means of variables, where: Resource Type = Category Object, User ID = Target User ID, User Name = Target User Name, Resource Zone Name = Target Zone Name, Resource Address = Target Address, Access Outcome = Category Outcome.


Access to Database Resources

This filter returns events in which the category object is /Host/Application/Database. The filter focuses on specific events identified by the Access Initiation Events filter.

Filter ArcSight Foundation/Intrusion Monitoring/Resource Access/

Access to Email Resources

This filter identifies events in which the category object is /Host/Application/Service/Email.


Access to File Resources

This filter identifies events in which the category object is /Host/Resource/File.






Access Termination Events

This filter identifies events in which the category behavior is /Access/Stop and the event also matches the Access to Database Resources, Access to Email Resources, or Access to File Resources filter.


All Access and Authentication Events

This filter identifies events in which the category behavior is Access, Authentication, or Authorization.


Access Initiation Events

This filter identifies events in which the category behavior is /Access/Start, /Authentication/Verify, /Authorization/Verify, and the event also matches the Access to Database Resources, Access to Email Resources, or Access to File Resources filter.


Daily Top 10 Resource Access on Trend

This query returns data from the Daily Top 10 Resource Access Trends query for use in the Daily Top 10 Resource Access Trends report.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Resource Access/

Daily Top 10 Resource Access on Trend

This query returns data from the Daily Top 10 Resource Access Trends query for use in the Daily Top 10 Resource Access Trends report.


Resource Accesses

This query returns data for the Resource Access Events by Users reports. The data selected is related to the resource type, the resource zone and address, the outcome of the event (successful), the user name and ID, and the number of times the event has been recorded for that resource by that user.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Resource Access/Reports on Access Events/

Brute Force Access Closed Sessions on Trend

This query returns closed session trend information from the Brute Force Access Session Trends trend for the Brute Force Session Trends report. A closed session is one with a start and end time, and the query provides a field (Dependent Variable) that gives the difference in these times, (the duration of the session).





Access Active Sessions

This query returns data from the Resource Access (keyed by target) session list. The data selected is resource, user, and attacker information for sessions that have not been reported closed, and are assumed to still be active.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Resource Access/Reports on Access Sessions/

Access Closed Sessions

This query returns data from the Resource Access (keyed by target) session list. The data selected is resource, user, and attacker information, and length of time the resource was accessed, for sessions that have been reported closed.


Brute Force Access Active Sessions on Trend

This query returns open session trend information from the Brute Force Access Session Trends trend for the Brute Force Session Trends report. An open session is one with a start time, but no end time.


Resource Access on Trend

This query returns the date, resource type, outcome, user ID, user name, resource zone, resource address and the count of events for these events from the Resource Access trend.


Brute Force Access Sessions Trend

This query returns data from the Brute Force Resource Access session list to collect data for the Brute Force Access Sessions trend.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Resource Access/Trend Queries/

Resource Access Attempts

This query returns data for the Resource Access Events by Users reports. The data selected is related to the resource type, the resource zone and address, the outcome of the event (attempt or fail), the user name and ID, and the number of times the access initiation attempt has been recorded for that resource by that user.


Brute Force Access Active Sessions

This query returns data from the Brute Force Resource Access (keyed by target) session list. The data selected is resource, user and attacker information for sessions that have not been reported closed, and are assumed to still be active.





Brute Force Access Closed Sessions

This query returns data from the Brute Force Resource Access (keyed by target) session list. The data selected is resource, user, and attacker information, and length of time the resource was accessed, for sessions that have been reported closed.


Resource Access Trend

This query returns event data for the Resource Access trend. The event data fields collected are: Category, Object Category, Outcome, Target User ID, Target User Name, Target Zone, Resource Target Address, and the count of the number of times the events occurred for that resource.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Resource Access/Trend Queries/

Access Attempts by Resource

This query returns data for the Access Events by Resource reports. The data selected is related to the resource type, the resource zone and address, the outcome of the event, and the number of times the event has been recorded for that resource.


Brute Force Resource Access

This session list stores information about resource access after a detected brute force attack, including the initial time and duration of the access. If the end time is blank, the session is open. The session automatically closes after four days because the resource might not report the session termination.

Session List


Resource Access

This session list stores information about abnormal resource access, including the initial time and duration of the access. If the end time is blank, the session is open. The session automatically closes after four days because the resource might not report the session termination.

Session List





Daily Top 10 Resource Access Trends

This trend tracks the top 10 resource access attempts stored in the Resource Access Trends trend. The trend runs once per day, checks all of the events from the Resource Access Trends trend, and selects the top 10 entries by count. Note: This trend is disabled by default. To work properly, this trend and its base trend, Resource Access, need to be enabled.

Trend ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Resource Access/

Brute Force Access Session Trends

This trend tracks resource access sessions following brute force attacks.


Resource Access

This trend tracks unusual resource access attempts, including the outcome of the access attempt. Note: This trend is not enabled by default. When enabled, this trend runs daily, covering a full day.





Revenue Generating SystemsThe Revenue Generating Systems resources provide reports that focus on attacked or compromised systems that have been categorized in the Revenue Generation category under Business Impact Analysis/Business Roles.

DevicesThe following device types can supply events that apply to the Revenue Generating Systems resource group:

Firewalls



Operating systems

ResourcesThe following table lists all the resources in the Revenue Generating Systems resource group and any dependant resources.

Table 3-12 Resources that Support the Revenue Generating Systems Group


Monitor Resources

Revenue Generating Systems - Attacked

This report displays the target host name and the sum of the aggregated event count for events with target asset IDs in the /All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Role/Revenue Generation asset category, matching the Attack Events filter.

Report ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Revenue Generating Systems/

Revenue Generating Systems - Compromise - All

This report displays the target host name and the count of vulnerabilities for events with target asset IDs in the /All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Role/Revenue Generation asset category, matching the Attack Events filter with a category outcome of success.




Revenue Generating Systems - Compromise - Confidentiality

This report displays the target host name and the count of vulnerabilities for events with target asset IDs in the /All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Role/Revenue Generation asset category, matching the Attack Events filter with a category technique of Information Leak and a category outcome of success.


Revenue Generating Systems - Compromise - Availability

This report displays the target host name and the count of vulnerabilities for events with target asset IDs in the /All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Role/Revenue Generation asset category, matching the Attack Events filter with a category technique of DoS and a category outcome of success.


Revenue Generating Systems - Compromise - Integrity

This report displays the target host name and the count of vulnerabilities for events with target asset IDs in the /All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Role/Revenue Generation asset category, matching the Attack Events filter with a category technique that is not DoS or starts with Information Leak, and a category outcome of success.


Library Resources

Revenue Generation


Site Asset Categories/Business Impact Analysis/Business Role







Revenue Generating Systems - Compromise - Confidentiality

This query returns the target host name and the count of vulnerabilities for events with target asset IDs in the /All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Role/Revenue Generation asset category, matching the Attack Events filter with a category technique of Information Leak and a category outcome of success.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Revenue Generating Systems/

Revenue Generating Systems - Compromise - Availability

This query returns the target host name and the count of vulnerabilities for events with Target Asset IDs in the /All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Role/Revenue Generation asset category, matching the Attack Events filter with a Category Technique of DoS and a Category Outcome of success.


Revenue Generating Systems - Compromise - Integrity

This query returns the target host name and the count of vulnerabilities for events with target asset IDs in the /All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Role/Revenue Generation asset category, matching the Attack Events filter with a category technique that is not DoS or starts with Information Leak, and a category outcome of success.


Revenue Generating Systems - Compromise - All

This query returns the target host name and the count of vulnerabilities for events with target asset IDs in the /All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Role/Revenue Generation asset category, matching the Attack Events filter with a Category Outcome of success.


Revenue Generating Systems - Attacked

This query returns the target host name and the sum of the aggregated event count for events with target asset IDs in the /All Asset Categories/Site Asset Categories/Business Impact Analysis/Business Role/Revenue Generation asset category, matching the Attack Events filter.





SANS Top 5 ReportsThe SANS Top 5 Reports resources provide information that helps address the SANS Institute's list of recommendations of what every IT staff should know about their network at a minimum, based on the Top 5 Essential Log Reports.

DevicesThe following device types can supply events that apply to the SANS Top 5 Reports resource group:

Firewalls



Operating systems


ResourcesThe following table lists all the resources in the SANS Top 5 Reports resource group and any dependant resources.

Table 3-13 Resources that Support the SANS Top 5 Reports Group


Monitor Resources

Top Alerts from IDS and IPS

This report shows the top alerts originating from Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).


Top 10 Vulnerable Systems - Today

This report shows the top 10 current vulnerable systems.

Report ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/4 - Systems Most Vulnerable to Attack/

Top 5 IDS Signatures per Day

This report shows the top five IDS signatures per day. You can focus this report by device vendor and product.


Top 5 Users with Failed Logins - Today

This report shows the top five users with the biggest number of failed login attempts.

Report ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/1 - Attempts to Gain Access Through Existing Accounts/



Total Number of Vulnerable Systems - Yearly

This report shows the total number of vulnerable systems by week for a given year.

Report ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/4 - Systems Most Vulnerable to Attack/Trend Reports/

Total Number of Vulnerable Systems - Monthly

This report shows the total number of vulnerable systems by week for a given month.


Top 5 IDS Signature Destinations per Day

This report shows the top five IDS signature destinations per day.


Top 5 IDS Signature Sources per Day

This report shows the top five IDS signature sources per day.


Number of Failed Logins - Weekly

This report shows the number of failed logins per day for a given week.

Report ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/1 - Attempts to Gain Access Through Existing Accounts/Trend Reports/

Vulnerability Scanner Logs - by Host

This report shows vulnerability scanner logs grouped by zone and host IP address. You can focus this report by device vendor and device product. The report defaults to the McAfee FoundScan device.


Top 10 Talkers This report shows the top 10 talkers and a detailed list of the top talkers.


Number of Failed Logins - Daily

This report shows the number of failed logins per hour for a given day.





Top 5 Users with Failed Logins - Weekly

This report shows the top five users with the highest number of failed login attempts for a given week.


Top Target IPs This report shows the top 10 target IP addresses with a detailed list of the top targets.


Vulnerability Scanner Logs - by Vulnerability

This report shows vulnerability scanner logs grouped by vulnerability ID and name. You can focus this report by device vendor and device product. The report defaults to the McAfee FoundScan device.


Top 5 Users with Failed Logins - Daily

This report shows the top five users with the highest number of failed login attempts for a given day.


Number of Failed Logins - Today

This report shows the number of failed logins per hour for the last day.

Report ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/1 - Attempts to Gain Access Through Existing Accounts/

Top 10 Vulnerable Systems - Weekly

This report shows the top 10 vulnerable systems for a given week.


Library Resources

IDS -IPS Events








Scanner Events

This filter identifies events from network vulnerability scanners, where the events are defined as: Category Behavior = /Found/Vulnerable, Category Device Group = /Assessment Tools, Category Technique StartsWith /Scan, Category Technique Contains vulnerability This filter is used by the Vulnerability Scanner Events active channel.

Filter ArcSight Foundation/Intrusion Monitoring/Vulnerability View/


Top 5 IDS Signatures per Day (Snort-Snort)

This report shows the top five Snort signatures per day in a chart.

Focused Report

ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/5 - Suspicious or Unauthorized Network Traffic Patterns/Focused Reports/

Top 5 Signatures per Day (CISCO-CiscoSecureIDS)

This report shows the top five Cisco Secure IDS signatures per day in a chart.

Focused Report

ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/5 - Suspicious or Unauthorized Network Traffic Patterns/Focused Reports/

Top Users with Failed Logins per Day

This query returns the day, the target user name, and the number of occurrences for failed authentication verifications.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/1 - Attempts to Gain Access Through Existing Accounts/Top Users with Failed Logins/Event Queries/

Failed Logins per Hour

This query returns the hour and the number of occurrences for failed authentication verifications.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/1 - Attempts to Gain Access Through Existing Accounts/Number of Failed Logins/Event Queries/

Top 10 Targets This query returns the target zone name, target address, and the sum of the aggregated event count for events matching the Attack Events filter used in the following reports: Top N Targets, Top N Targets (3D Pie Chart), Top N Targets (Bar Chart), Top N Targets (Inverted Bar Chart), Top N Targets (Pie Chart), Top N Targets (Table and Chart), and Top N Targets (Table).

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Top and Bottom 10/





This query returns the hour and the number of occurrences for failed authentication verifications.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/1 - Attempts to Gain Access Through Existing Accounts/Number of Failed Logins/Event Queries/

Top Users with Failed Logins per Week

This query on the Top Users with Failed Logins per Day trend returns the sum of the number of failed logins for each username within the week.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/1 - Attempts to Gain Access Through Existing Accounts/Top Users with Failed Logins/Trend Queries/

Top IDS Signatures by IDS Product

This query on base /IDS/Network events for the device product and vendor Snort, returns the device event class ID and the count based on the end time. Snort is the default setting. You can select a different device vendor when running the report.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/5 - Suspicious or Unauthorized Network Traffic Patterns/Top 5 IDS Signatures per Day/

Top Vulnerable Systems per Week

This query on the Number of Vulnerabilities per Asset trend returns the asset name, IP address, host name, and device zone name and averages the number of vulnerabilities associated with that device per week.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/4 - Systems Most Vulnerable to Attack/Top Vulnerable Systems/Trend Queries/

Top IDS Signature Sources per Day

This query over base IDS/Network events returns the attacker address, attacker zone name, device vendor, device product, and the count of the events within the query timeframe.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/5 - Suspicious or Unauthorized Network Traffic Patterns/Top 5 IDS Signature Sources per Day/

Top 10 Talkers This query returns the attacker zone name, attacker address, and the count of events in which the category significance starts with Compromise or Hostile. The query uses the sum of the aggregated event count instead of counting the EventID so that attackers are not split by the event name.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/5 - Suspicious or Unauthorized Network Traffic Patterns/Top 10 Talkers/

Top IDS and IPS Alerts

This query returns IDS and IPS alert events, selecting the device event class ID, event name, device vendor, device product, and a count on the end time of the event.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/5 - Suspicious or Unauthorized Network Traffic Patterns/Top Alerts from IDS/




Number of Vulnerabilities per Asset

This query on assets returns the asset name, IP address, host name, and device zone name and counts the number of vulnerabilities associated with that device.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/4 - Systems Most Vulnerable to Attack/Top Vulnerable Systems/Asset Queries/

Top IDS Signature Destinations per Day

This query over base IDS/Network events returns the target address, target zone name, device vendor, device product, and the count of the events within the query timeframe.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/5 - Suspicious or Unauthorized Network Traffic Patterns/Top 5 IDS Signature Destinations per Day/

Number of Vulnerabilities per Week

This query on the Number of Vulnerabilities per Asset trend returns the asset name, IP address, host name, and device zone name and averages the number of vulnerabilities associated with that device per week.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/4 - Systems Most Vulnerable to Attack/Total Number of Vulnerable Systems/Trend Queries/

Failed Logins per Day

This query on the Top Users with Failed Logins per Hour trend returns the sum of the number of failed logins for the day.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/1 - Attempts to Gain Access Through Existing Accounts/Number of Failed Logins/Trend Queries/

Vulnerability Scanner Logs

This query retrieves events for scanner events (defaulting to the McAfee FoundScan scanner) and returns the target address, the target zone name, the device event class ID, and the event (vulnerability) name.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/4 - Systems Most Vulnerable to Attack/Vulnerability Scanner Logs - by Host/


This query returns the day, the target user name, and the number of occurrences for failed authentication verifications.

Query ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/1 - Attempts to Gain Access Through Existing Accounts/Top Users with Failed Logins/Event Queries/


This trend stores the top 1000 users with the highest number of failed logins per day.

Trend ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/1 - Attempts to Gain Access Through Existing Accounts/




Number of Vulnerabilities per Asset

This trend stores the number of vulnerabilities associated to an asset on a weekly basis.

Trend ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/4 - Systems Most Vulnerable to Attack/


This trend stores the number of failed logins per hour and is scheduled to run daily.

Trend ArcSight Foundation/Intrusion Monitoring/SANS Top 5 Reports/1 - Attempts to Gain Access Through Existing Accounts/




SANS Top 20The SANS Top 20 resources provide the context for a series of email and operating system rules that look for specific events that relate to vulnerabilities. The SANS Top 20 reports show assets where these vulnerabilities have been compromised.

DevicesThe following device types can supply events that apply to the Sans Top 20 resource group:

Firewalls



Operating systems


ConfigurationThe Sans Top 20 resource group requires the following configuration for your environment:

Enable the SANS Top 20 (v6.01) Attacked Systems trend—The data from this trend is used for the Trend: Inbound DoS Events - Yesterday, the SANS Top 20 (v6.01) Vulnerability Area Activity - Hourly Report and the SANS Top 20 (v6.01) Attacked Systems - Hourly Report.

ResourcesThe following table lists all the resources in the Sans Top 20 resource group and any dependant resources.

Table 3-14 Resources that Support the SANS Top 20 Group


Monitor Resources

Trend: Inbound DoS Events - Yesterday

This trend report displays the target zones and the associated number of DoS events per hour.

Report ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Attack Monitoring/DoS/

SANS Top 20 (v6.01) Vulnerability Area Activity - Hourly Report

This report shows the different SANS Top 20 Vulnerability areas (Operating System, email, and so on) and how many attacks for each area have occurred in the last 60 minutes. This report uses data generated by events from the SANS Top 20 rules.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/SANS Top 20/



SANS Top 20 (v6.01) Attacked Systems - Hourly Report

This report provides a view of the different SANS Top 20 Vulnerabilities and how many attacks for each vulnerability have occurred within the last 60 minutes. The report uses data generated by events from the SANS Top 20 rules.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/SANS Top 20/





SANS Top 20 OS (v6.01) - Microsoft Task Scheduler Service Vulnerabilities

This rule checks for the SANS Top 20 vulnerabilities in W1 Windows Services (see http://www.sans.org/top20/2005/#w1) for the Microsoft Task Scheduler vulnerability. The Microsoft Windows Task Scheduler is an ActiveX control that schedules arbitrary commands to be run on a system. There is a buffer overflow in the scheduler due to not properly checking attributes of the command names tasked within the scheduler. The rule checks for events related to inbound traffic categorized as hostile or compromise, with an outcome of no failure, to assets with the vulnerability category MSSB:MS04-022 or CVE:CAN-2004-0212. It then looks for events related to traffic from the target system to the attacking system, if the target system's asset ID is within the Microsoft operating system Asset Group. If the above conditions are met, the following actions are taken: An event is sent with the following additional settings: name: SANS Top 20 (v6.01) - Microsoft Task Scheduler Service Vulnerability Exploited, agentSeverity: Very-High, categoryBehavior: /Execute, categoryObject: /Host/Operating System, categoryOutcome: /Success, categorySignificance: /Compromise, categoryTechnique: /Exploit/Vulnerability, Device Custom String1: SANS Top 20 (v6.01), Device Custom String1 Label: Rule Type, Device Custom String2: OS, Device Custom String2 Label: Vulnerability Area, Device Custom String3: Microsoft Task Scheduler Service Vulnerability Exploited, Device Custom String3 Label: Vulnerability Name . The relevant Microsoft Security Bulletins and CVE identifiers are MSSB:MS04-022 and CVE:CAN-2004-0212.

Rule ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/SANS Top 20/Operating Systems/




SANS Top 20 OS (v6.01) - Microsoft WINS Vulnerabilities

This rule checks for the SANS Top 20 vulnerabilities in W1 Windows Services (see http://www.sans.org/top20/2005/#w1) for WINS vulnerabilities. The Windows Internet naming Service (WINS) provides a mapping between NETBIOS computer names and IP addresses. Incoming WINS packets are not sufficiently validated on the name parameter, allowing a buffer overflow. Additionally, there is a heap-based buffer overflow in the server-to-server replication protocol due to not properly validating the association context data structure. The rule checks for events related to inbound traffic on port 42 (UDP or TCP), categorized as hostile or compromise, with an outcome of no failure, to assets with the vulnerability category MSSB:MS04-045, CVE:CAN-2004-0567 or CVE:CAN-2004-1080. It then looks for events related to traffic from the target system to the attacking system, if the target system's asset ID is within the Microsoft operating system Asset Group. If the above conditions are met, the following actions are taken: An event is sent with the following additional settings: name: SANS Top 20 (v6.01) - Microsoft WINS Vulnerability Exploited, agentSeverity: Very-High, categoryBehavior: /Execute, categoryObject: /Host/Operating System, categoryOutcome: /Success, categorySignificance: /Compromise, categoryTechnique: /Exploit/Vulnerability, Device Custom String1: SANS Top 20 (v6.01), Device Custom String1 Label: Rule Type, Device Custom String2: OS, Device Custom String2 Label: Vulnerability Area, Device Custom String3: Microsoft WINS Vulnerability Exploited, Device Custom String3 Label: Vulnerability Name. The relevant Microsoft Security Bulletins and CVE identifiers are MSSB:MS04-045, CVE:CAN-2004-0567 and CVE:CAN-2004-1080.





SANS Top 20 OS (v6.01) - Microsoft SMB Service Vulnerabilities

This rule checks for the SANS Top 20 vulnerabilities in W1 Windows Services (see http://www.sans.org/top20/2005/#w1) for the Microsoft SMB Service vulnerability. The Microsoft Server Message Block (SMB) protocol allows sharing of files, printers, serial ports, and so on. There are flaws in SMB packet validation that might result in a buffer receiving inappropriate data. The rule checks for events related to inbound traffic on TCP ports 139 or 445, categorized as hostile or compromise, with an outcome of no failure, to assets with the vulnerability category MSSB:MS05-011 or MSSB:MS05-027. It then looks for events related to traffic from the target system to the attacking system, if the target system's asset ID is within the Microsoft operating system Asset Group. If the above conditions are met, the following actions are taken: An event is sent with the following additional settings: name: SANS Top 20 (v6.01) - Microsoft SMB Service Vulnerability Exploited, agentSeverity: Very-High, categoryBehavior: /Execute, categoryObject: /Host/Operating System, categoryOutcome: /Success, categorySignificance: /Compromise categoryTechnique: /Exploit/Vulnerability, Device Custom String1: SANS Top 20 (v6.01), Device Custom String1 Label: Rule Type, Device Custom String2: OS, Device Custom String2 Label: Vulnerability Area, Device Custom String3: Microsoft SMB Service Vulnerability Exploited, Device Custom String3 Label: Vulnerability Name. The relevant Microsoft Security Bulletins and CVE identifiers are MSSB:MS05-011, MSSB:MS05-027, CVE:CAN-2005-0045 and CVE:CAN-2005-1206.





SANS Top 20 Email (v6.01) - Microsoft Office XP Buffer Overflow Vulnerabilities

This rule checks for the SANS Top 20 vulnerabilities in W4 Microsoft Office and Outlook Express for the Microsoft OLE and COM Remote Code Execution vulnerabilities (see http://www.sans.org/top20/2005/#w4 for details). There is a buffer overflow error in Microsoft Office XP that might allow an attacker to gain full control of a system where the user is tricked into clicking on a link to a malicious file, either from an email message or through Internet Explorer. The rule checks for base events related to outbound traffic from an application with behavior categorized as Communicate/Query or starting with Access, with an outcome of no failure, from source systems with a Microsoft operating system. If the above conditions are met, the following actions are taken: An event is sent with the following additional settings: name = SANS Top 20 Email (v6.01) - Microsoft Office XP buffer overflow vulnerability Exploit Attempt, agentSeverity = Medium, categoryBehavior = /Communicate/Query, categoryObject = /Host/Operating System, categoryOutcome = /Attempt, categorySignificance = /Compromise, categoryTechnique = /Exploit/Vulnerability, deviceCustomString1Label = Rule Type, deviceCustomString1 = SANS Top 20 (v6.01), deviceCustomString2Label = Vulnerability Area, deviceCustomString2 = Email, deviceCustomString3Label = Vulnerability Name, deviceCustomString3 = Microsoft Office XP buffer overflow vulnerability Exploit Attempt. The relevant Microsoft Security Bulletins and CVE identifiers are MSSB:MS05-005 and CVE:CAN-2004-0848.

Rule ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/SANS Top 20/Email/




SANS Top 20 OS (v6.01) - Microsoft Plug and Play Service Vulnerabilities

This rule checks for the SANS Top 20 vulnerabilities in W1 Windows Services (see http://www.sans.org/top20/2005/#w1) for the Microsoft Plug and Play Service vulnerability. The Microsoft Plug and Play Service contains buffer overflows that might allow a remote user to execute arbitrary code. The rule checks for events related to inbound traffic on TCP ports 139 or 445, categorized as hostile or compromise, with an outcome of no failure, to assets with the vulnerability category MSSB.|MS05-039 or MSSB|"MS05-047. It then looks for events related to traffic from the target system to the attacking system, if the target system's asset ID is within the Microsoft operating system Asset Group. If the above conditions are met, the following actions are taken: An event is sent with the following additional settings: name: SANS Top 20 (v6.01) - Microsoft Plug and Play Service Vulnerability Exploited, agentSeverity: Very-High, categoryBehavior: /Execute, categoryObject: /Host/Operating System, categoryOutcome: /Success, categorySignificance: /Compromise, categoryTechnique: /Exploit/Vulnerability, Device Custom String1: SANS Top 20 (v6.01), Device Custom String1 Label: Rule Type, Device Custom String2: OS, Device Custom String2 Label: Vulnerability Area, Device Custom String3: Microsoft Plug and Play Service Vulnerability Exploited, Device Custom String3 Label: Vulnerability Name. The relevant Microsoft Security Bulletins and CVE identifiers are MSSB:MS05-039, MSSB:MS05-047, CVE:CAN-2005-1983 and CVE:CAN-2005-2120.





SANS Top 20 OS (v6.01) - Microsoft NetDDE Service Vulnerabilities

This rule checks for the SANS Top 20 vulnerabilities in W1 Windows Services (see http://www.sans.org/top20/2005/#w1) for the Microsoft NetDDE Service vulnerability. The Microsoft Network Dynamic Data Exchange (NetDDE) protocol has a buffer management flaw in the way malformed messages are handled that exposes a vulnerability that might allow an attacker to compromise the vulnerable system. The rule checks for events related to inbound traffic on TCP ports 135, 139, 445 or 593, or UDP port 135, 137, 138 or 445, categorized as hostile or compromise, with an outcome of no failure. It then looks for events related to traffic from the target system to the attacking system, if the target system's asset ID is within the Microsoft operating system Asset Group. If the above conditions are met, the following actions are taken: An event is sent with the following additional settings: name: SANS Top 20 (v6.01) - Microsoft NetDDE Service Vulnerability Exploited, agentSeverity: Very-High, categoryBehavior: /Execute, categoryObject: /Host/Operating System, categoryOutcome: /Success, categorySignificance: /Compromise, categoryTechnique: /Exploit/Vulnerability, Device Custom String1: SANS Top 20 (v6.01), Device Custom String1 Label: Rule Type, Device Custom String2: OS, Device Custom String2 Label: Vulnerability Area, Device Custom String3: Microsoft NetDDE Service Vulnerability Exploited, Device Custom String3 Label: Vulnerability Name. The relevant Microsoft Security Bulletins and CVE identifiers are MSSB:MS04-031 and CVE:CAN-2004-0206.





SANS Top 20 OS (v6.01) - Microsoft NNTP Service Vulnerabilities

This rule checks for the SANS Top 20 vulnerabilities in W1 Windows Services (see http://www.sans.org/top20/2005/#w1) for the Microsoft NNTP Service vulnerability. The Microsoft Network News Transport Protocol (NNTP) Service in Internet Information Services (IIS) has several flaws in the way the NNTP component handles the parsing of user search patterns for the XPAT command. A remote, unauthenticated attacker might execute arbitrary code with administrative privileges on a vulnerable system. The rule checks for events related to inbound traffic on ports 119 or 563 (TCP or UDP), categorized as hostile or compromise, with an outcome of no failure, to assets with the vulnerability category MSSB:MS04-036 or CVE:CAN-2004-0574. It then looks for events related to traffic from the target system to the attacking system, if the target system's asset ID is within the Microsoft operating system Asset Group. If the above conditions are met, the following actions are taken: An event is sent with the following additional settings: name: SANS Top 20 (v6.01) - Microsoft NNTP Service Vulnerability Exploited, agentSeverity: Very-High, categoryBehavior: /Execute, categoryObject: /Host/Operating System, categoryOutcome: /Success, categorySignificance: /Compromise, categoryTechnique: /Exploit/Vulnerability, Device Custom String1: SANS Top 20 (v6.01), Device Custom String1 Label: Rule Type, Device Custom String2: OS, Device Custom String2 Label: Vulnerability Area, Device Custom String3: Microsoft NNTP Service Vulnerabilities, Device Custom String3 Label: Vulnerability Name. The relevant Microsoft Security Bulletins and CVE identifiers are MSSB:MS04-036 and CVE:CAN-2004-0574.





SANS Top 20 OS (v6.01) - Microsoft License Logging Service Vulnerabilities

This rule checks for the SANS Top 20 vulnerabilities in W1 Windows Services (see http://www.sans.org/top20/2005/#w1) for the Microsoft License Logging Service vulnerabilities. The Microsoft License Logging service has an unchecked buffer that might allow an attacker to remotely execute arbitrary code. The rule checks for events related to inbound traffic on TCP ports 139 or 445, categorized as hostile or compromise, with an outcome of no failure. It then looks for events related to traffic from the target system to the attacking system, if the target system asset ID is within the Microsoft operating system Asset Group. If the above conditions are met, the following actions are taken: An event is sent with the following additional settings: name: SANS Top 20 (v6.01) - Microsoft License Logging Service Vulnerability Exploited, agentSeverity: Very-High, categoryBehavior: /Execute, categoryObject: /Host/Operating System, categoryOutcome: /Success, categorySignificance: /Compromise, categoryTechnique: /Exploit/Vulnerability, Device Custom String1: SANS Top 20 (v6.01), Device Custom String1 Label: Rule Type, Device Custom String2: OS, Device Custom String2 Label: Vulnerability Area, Device Custom String3: Microsoft License Logging Service Vulnerability Exploited, Device Custom String3 Label: Vulnerability Name. The relevant Microsoft Security Bulletins and CVE identifiers are MSSB:MS05-010 and CVE:CAN-2005-0050.





SANS Top 20 OS (v6.01) - Microsoft Exchange SMTP Service Vulnerabilities

This rule checks for the SANS Top 20 vulnerabilities in W1 Windows Services (see http://www.sans.org/top20/2005/#w1 for details) for the Exchange SMTP Service vulnerability. There is a buffer overflow error in the way that Exchange (2000 and Server 2003) handles an SMTP extension that might allow a remote attacker to execute arbitrary code or cause a denial of service. The rule checks for events related to inbound traffic categorized as hostile or compromise, with an outcome of no failure, to target systems with a Microsoft operating system on port 25. It then looks for events related to traffic from the target system to the attacking system, if the target system's asset ID is within the Microsoft operating system Asset Group. If the target system is not in the Microsoft operating system Asset Group, the asset ID should either be NULL or not in any Operating System group. If the above conditions are met, the following actions are taken: An event is sent with the following additional settings: name: SANS Top 20 (v6.01) - Microsoft Exchange SMTP Service Vulnerability Exploited, agentSeverity: Very High, categoryBehavior: /Communicate/Query, categoryObject: /Host/Operating System, categoryOutcome: /Success, categorySignificance: /Compromise, categoryTechnique: /Exploit/Vulnerability, Device Custom String1: SANS Top 20 (v6.0.1), Device Custom String1 Label: Rule Type, Device Custom String2: OS, Device Custom String2 Label: Vulnerability Area, Device Custom String3: Microsoft Exchange SMTP Service Vulnerability Exploited, Device Custom String3 Label: Vulnerability Name. The relevant Microsoft Security Bulletins and CVE identifiers are MSSB:MS05-021 and CVE:CAN-2005-0560.





SANS Top 20 OS (v6.01) - Microsoft MSDTC and COM Service Vulnerabilities

This rule checks for the SANS Top 20 vulnerabilities in W1 Windows Services (see http://www.sans.org/top20/2005/#w1) for the Microsoft MSDTC and COM+ Services vulnerabilities. The Microsoft Distributed Transaction Coordinator (MSDTC), COM+, Transaction Internet Protocol (TIP) and Distributed TIP services have flaws that might allow an attacker to execute arbitrary code, elevate local privileges or cause a denial of service. The rule checks for events related to inbound traffic on TCP ports 135, 139, 445, 593, 1025 or 3372, or UDP ports 135, 137, 138 or 445, categorized as hostile or compromise, with an outcome of no failure. It then looks for events related to traffic from the target system to the attacking system, if the target system's asset ID is within the Microsoft operating system Asset Group. If the above conditions are met, the following actions are taken: An event is sent with the following additional settings: name: SANS Top 20 (v6.01) - Microsoft MSDTC or COM+ Services Vulnerability Exploited, agentSeverity: Very-High, categoryBehavior: /Execute, categoryObject: /Host/Operating System, categoryOutcome: /Success, categorySignificance: /Compromise categoryTechnique: /Exploit/Vulnerability, Device Custom String1: SANS Top 20 (v6.01), Device Custom String1 Label: Rule Type, Device Custom String2: OS, Device Custom String2 Label: Vulnerability Area, Device Custom String3: Microsoft MSDTC or COM+ Services Vulnerability Exploited, Device Custom String3 Label: Vulnerability Name. The relevant Microsoft Security Bulletins and CE identifiers are MSSB:MS05-051, CVE:CAN-2005-1978, CVE:CAN-2005-1979, CVE:CAN-2005-1980 and CVE:CAN-2005-2119.





SANS Top 20 OS (v6.01) - Microsoft Message Queuing Service Vulnerabilities

This rule checks for the SANS Top 20 vulnerabilities in W1 Windows Services (see http://www.sans.org/top20/2005/#w1) for the Microsoft Message Queuing Service vulnerabilities. The Microsoft Message Queuing service has an unchecked buffer that might allow an attacker to remotely execute arbitrary code. The rule checks for events related to inbound traffic on TCP ports 135, 139, 445, 593, 1801, 2101, 2103, 2105 or 2107, or UDP ports 135, 137, 138, 445, 1801 or 3527, categorized as hostile or compromise, with an outcome of no failure. It then looks for events related to traffic from the target system to the attacking system, if the target system asset ID is within the Microsoft operating system Asset Group. If the above conditions are met, the following actions are taken: An event is sent with the following additional settings: name: SANS Top 20 (v6.01) - Microsoft Message Queuing Service Vulnerability Exploited, agentSeverity: Very-High, categoryBehavior: /Execute, categoryObject: /Host/Operating System, categoryOutcome: /Success, categorySignificance: /Compromise, categoryTechnique: /Exploit/Vulnerability, Device Custom String1: SANS Top 20 (v6.01), Device Custom String1 Label: Rule Type, Device Custom String2: OS, Device Custom String2 Label: Vulnerability Area, Device Custom String3: Microsoft Message Queuing Service Vulnerability Exploited, Device Custom String3 Label: Vulnerability Name. The relevant Microsoft Security Bulletins and CVE identifiers are MSSB:MS05-017 and CVE:CAN-2005-0059.





SANS Top 20 Email (v6.01) - Microsoft OLE and COM Remote Code Execution Vulnerabilities

This rule checks for the SANS Top 20 vulnerabilities in W4 Microsoft Office and Outlook Express for the Microsoft OLE and COM Remote Code Execution vulnerabilities. There is a buffer overflow error in the way that Exchange (2000 and Server 2003) handles an SMTP extension that could allow a remote attacker to execute arbitrary code or cause a denial of service:MS05-012, CVE:CAN-2005-0044 and CVE:CAN-2005-0047.

Rule ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/SANS Top 20/Email/

Library Resources


Email This is a site asset category. Asset Category

Site Asset Categories/Application/Type



Exchange This is a site asset category. Asset Category

Site Asset Categories/Application/Type/Email

Vulnerabilities This is a site asset category. Asset Category

Site Asset Categories/Scanned

Microsoft This is a site asset category. Asset Category

Site Asset Categories/Operating System

Operating System









Successful Inbound DoS Events - Trend Filter

This filter identifies events that are related to successful Denial of Service attacks on internal targets, with the exception of trusted attackers (approved internal vulnerability scanners). This filter is used to select events by a query for a trend on Denial of Service attacks affecting the network, but can also be used for filtering events for a standard event report (not a trend report).





Internal Source

















External Target






Successful Inbound DoS Events Query on Trend

This query on the Inbound DoS Events trend returns the target zone name, the target asset name (or its IP address), the service name (Application Protocol Name/Transport Protocol Name: Target Port), a timestamp and sums the number of Denial so Service events against the services on that asset during the time-period (hourly), for the Trend: Inbound DoS Events - Yesterday report.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Attack Monitoring/DoS/

SANS Top 20 (v6.01) Attacked Systems - hourly

This query collects information about the SANS Top 20 vulnerability areas, vulnerability names, and the number of attacks for each vulnerability on an hourly basis. The data used is generated by events from the SANS Top 20 rules.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/SANS Top 20/




Successful Inbound DoS Events - Trend

This query returns data for reporting the target zone name, the asset name (or IP address), the service name and a summary of event counts. This data is used to populate the Inbound DoS Events trend.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Attack Monitoring/DoS/Trend Queries/

Inbound DoS Events

This trend contains data selected by the Successful Inbound DoS Events - Trend query, which selects the day, the service (a variable based on the service name or application protocol, the transport protocol, and the port such as HTML/TCP:80), the TargetAssetName (a variable using the host name, if available, or the IP address), and sums the aggregated event count. Note: This trend is not enabled by default.

Trend ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Attack Monitoring/DoS/




Security OverviewThe Security Overview resources provide information of interest to executive level personnel.

DevicesThe following device types can supply events that apply to the Security Overview resource group:

Firewalls



Operating systems

ConfigurationThe Security Overview resource group requires the following configuration for your environment:

Categorize all assets that have a business role in your environment with the Business Role asset category.


ResourcesThe following table lists all the resources in the Security Overview resource group and any dependant resources.

Table 3-15 Resources that Support the Security Overview Group


Monitor Resources

Intrusion Monitoring - Significant Events

This active channel provides an overview of hostile, compromise, or high priority events. The active channel continuously monitors events matching: -Not ArcSight Internal Events -Priority > 8 or Category Significance Starts With /Compromise or /Hostile. This active channel uses the Business Impact Analysis Field Set (End Time, Business Role, Data Role, Attacker Zone Name, Target Host Name, Category Significance, Category Outcome and Priority).

Active Channel

ArcSight Foundation/Intrusion Monitoring/



Business Roles This dashboard displays the status of systems by their business roles: Security Device, Revenue Generation, Infrastructure, Development & Operations and Service. More detailed information is available from the follow-on dashboards in the Detail/Targets groups. This dashboard uses the following data monitors: Status by Security Device Role, Status by Infrastructure Role, Status by Development and Operations Role, Status by Revenue Generation Role and Status by Service Role.

Dashboard ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Executive View Details/

Business Impact by Role

This dashboard shows the successful attacks on systems by asset category (business and data roles).


Security Activity Statistics

This dashboard displays an overview of common attackers, targets, protocols, and activity by time.

Dashboard ArcSight Foundation/Intrusion Monitoring/Operational Summaries/

Executive View This dashboard provides an overview of the network with respect to attacked systems status by asset location, business role, and worm activity. More detailed information is available from the follow-on dashboards in the Operational Summaries/Executive View Details group. This dashboard uses the following data monitors: Business Impact by Role - Successful Attacks, Business Impact by Location - Successful Attacks, Status by Business Role, and Worm Infected Systems

Dashboard ArcSight Foundation/Intrusion Monitoring/Executive Summaries/


This dashboard displays the number of systems infected by worms. More detailed information is available from the follow-on dashboards in the Detail/Attackers/Worm Outbreak group. This dashboard uses the Worm Infected Machines data monitor.


Attacked or Compromised Systems

This dashboard shows targets and attackers with the attacks as nodes, and the top 10 categories, by volume, of the event stream.





Business Impact by Location

This dashboard shows successful attacks on systems by asset location.


Security Intelligence Status Report

This report displays four charts and six tables. The first table gives an hourly breakdown of the event counts by agent severity. The three tables below the Event Count by Agent Severity chart show the top events, top attacks, and top triggering rules. The three charts below the tables show the top attackers, top targets, and top target ports. The three tables at the bottom of the page show the number of cases added and notifications sent, along with a list of assets and the vulnerabilities used to compromise them.

Report ArcSight Foundation/Intrusion Monitoring/Executive Summaries/

Library Resources

Address Spaces



Security Devices



Service This is a site asset category. Asset Category


Data Role This is a site asset category. Asset Category






Role This is a site asset category. Asset Category


Operations This is a site asset category. Asset Category


Revenue Generation



Location This is a site asset category. Asset Category





Development This is a site asset category. Asset Category


Infrastructure This is a site asset category. Asset Category


Top Attacker IPs

This data monitor collects the counts of attack events and groups them by attacker IP address.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Attackers/

Status by Infrastructure Role

This data monitor displays the last state (Compromised, Attacked, or Resolved) of targets in the Site Asset Categories/Business Impact Analysis/Business Role/Infrastructure/Computer and the Site Asset Categories/Business Impact Analysis/Business Role/Infrastructure/Network asset lists.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Executive View Details/Business Roles/

Events per Address Space

This resource has no description. Data Monitor

ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Security Activity Statistics/

Top Connectors

This data monitor provides a list of the top 10 ArcSight connectors reporting events, minute-by-minute within the last 60 minutes, showing the connector name and ID (Agent Name and Agent ID fields), the total number of events reported, and a breakdown of the reported events by priority.

Data Monitor



This data monitor displays the status of attacked or compromised systems.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Executive Summaries/Executive View/

Status by Development and Operations Roles

This data monitor displays the last state (Compromised, Attacked, or Resolved) of targets in the Site Asset Categories/Business Impact Analysis/Business Role/Development and the Site Asset Categories/Business Impact Analysis/Business Role/Operations asset lists.

Data Monitor





Status by Security Device Role

This data monitor displays the last state (Compromised, Attacked, or Resolved) of targets in the Site Asset Categories/Business Impact Analysis/Business Role/Security Devices asset list.

Data Monitor


Worm Infected Machines


ArcSight Foundation/Intrusion Monitoring/Detail/Security Activity/

Event Counts by Hour

This data monitor collects the count of events at each priority level for each hour for the last 24 hours.

Data Monitor


Application Protocol Event Counts

This data monitor tracks the application protocol events by customer resource. The data monitor updates every 30 seconds. It uses 12 samples of five minute intervals, for a time range of one hour. The data monitor requires a minimum of 10 events to maintain a group (aggregated event counts are used when available).

Data Monitor


Recent Events This resource has no description. Data Monitor



This data monitor displays the status of systems that have been infected in the course of a worm outbreak.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Worm Outbreak/Worm Outbreak/

Status by Business Role

This data monitor displays the status of systems by Business Role, showing whether the target system has been attacked or compromised.

Data Monitor


Top Target IPs This data monitor collects the counts of attack events and groups them by the target IP address.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/

Successful Inbound Attacks


ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Successful Inbound Attacks/




Business Impact by Location - Successful Attacks

This data monitor displays the number of successful attacks on systems within each asset location.

Data Monitor


Top Categories This resource has no description. Data Monitor

ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Executive View Details/Attacked or Compromised Systems/

Status by Revenue Generation Role

This data monitor displays the last state (Compromised, Attacked or Resolved) of targets in the Site Asset Categories/Business Impact Analysis/Business Role/Revenue Generation asset list.

Data Monitor


Status by Service Role

This data monitor displays the last state (Compromised, Attacked or Resolved) of targets in the Site Asset Categories/Business Impact Analysis/Business Role/Service asset list.

Data Monitor


Top Transport Protocols



Business Impact by Role - Successful Attacks

This data monitor displays a count and priority of the systems attacked by Business and Data Role.

Data Monitor



This field set includes: End Time, Business Role, Data Role, Attacker Zone Name, Target Host Name, Category Significance, Category Outcome, and Priority.


Worm Outbreak

This filter retrieves events with the name Worm Outbreak Detected and type Correlation.

Filter ArcSight Foundation/Intrusion Monitoring/Worm Outbreak/






Status by Business Role

This filter returns events with the names Compromise/Attempt, Compromise/Success, Hostile/Attempt, or Hostile/Success with target asset IDs that are associated with the Site Asset Categories/Business Impact Analysis/Business Role asset category hierarchy.

Filter ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Targets/Business Roles/

Business Role - Development and Operations

This filter returns the target asset IDs that are in the Site Asset Categories/Business Impact Analysis/Business Role/Development or the Site Asset Categories/Business Impact Analysis/Business Role/Operations Asset list.


External Source




This filter retrieves events that have one of the following names: Compromise - Success Compromise - Attempt Hostile - Success Hostile - Attempt. These events are generated by the rules of that name for use in the Attacked or Compromised Systems data monitor.


Internal Source







Business Role - Service

This filter returns the target asset IDs that are in the Site Asset Categories/Business Impact Analysis/Business Role/Service Asset list.


Inbound Attacks

This filter identifies events that have a significance of compromise or hostile, and an outcome of success that are passing into the network.


ArcSight Events





Business Role - Infrastructure

This filter returns the target asset IDs that have the Site Asset Categories/Business Impact Analysis/Business Role/Infrastructure/Computer or the Site Asset Categories/Business Impact Analysis/Business Role/Infrastructure/Network asset categories associated with them.






Inbound Events



Business Role - Revenue Generation

This filter returns the target asset IDs that are in the Site Asset Categories/Business Impact Analysis/Business Role/Revenue Generation Asset list.


Worm Traffic This resource has no description. Filter ArcSight Foundation/Intrusion Monitoring/Worm Outbreak/

Business Role - Security Devices

This filter returns the target asset IDs that are in the Site Asset Categories/Business Impact Analysis/Business Role/Security Devices Asset list.


Successful Attacks

This filter detects events that have a significance of compromise or hostile, and an outcome of success.


Non-ArcSight Events


SIS-Top Firing Rules Table Query

This query returns the event name and sums the aggregated event count where the type is Correlation for use in the Security Intelligence Status Report.

Query ArcSight Foundation/Intrusion Monitoring/Executive Summaries/SIS/

SIS-Event Count by Agent Severity Chart Query

This query returns the date, agent severity, and the number of events for each agent severity level for that day/hour for use in the Security Intelligence Status Report.





SIS-Top Attacks Table Query

This query returns the event name and sums the aggregated event count that have a category significance of Compromise or Hostile for use in the Security Intelligence Status Report.


SIS-Cases Added Table Query

This query returns the stage, consequence severity, and a count of the cases with that pairing for use in the Security Intelligence Status Report.


SIS-Top Targets Chart Query

This query returns the target zone name, target address, and sums the aggregated event count for use in the Security Intelligence Status Report.


SIS-Top Events Table Query

This query returns the event name and sums the aggregated event count for use in the Security Intelligence Status Report.


SIS-Assets Compromised Table Query

This query returns the target asset name, vulnerability external ID (the vulnerability name), and a sum of the number of events reported for that asset/vulnerability pair for use in the Security Intelligence Status Report.


SIS-Notifications Sent Table Query

This query returns the group name, escalation level, acknowledgement status, and a count of the notifications for these conditions for use in the Security Intelligence Status Report.


SIS-Top Attackers Chart Query

This query returns the attacker zone name, attacker address, and sums the aggregated event count for use in the Security Intelligence Status Report.


SIS-Top Target Ports Chart Query

This query returns the target port and sums the aggregated event count for use in the Security Intelligence Status Report.


Revenue Generating Systems

This use case provides information about revenue generating systems.

Use Case ArcSight Foundation/Intrusion Monitoring/Security Overview Group/

Environment State

This use case provides information about the state of your environment, such as application and OS status.






This use case provides business role related information.


Regulated Systems

This use case provides information about regulated systems.





TargetsThe Targets resources provide security information focused on target information.

The By Port or Protocol content provides views of targets by target port. The protocol information can often be derived by the port number.

The Target Counts content provides views of attackers from various perspectives: reporting device, target host, target port, ArcSight priority, and so on.

The Targets in Lists content gives a view of targets that are in one or more of the ArcSight Core Priority Formula lists, which specify hit, scanned, or compromised.

The Top and Bottom 10 content provides views of targets by using top and bottom 10 lists. The bottom 10 lists are useful for tracking the attackers who are trying to avoid detection by using the low-and-slow method (low volume over a long period of time), looking for a particular target.

DevicesThe following device types can supply events that apply to the Targets resource group:

Firewalls



Operating systems

ResourcesThe following table lists all the resources in the Targets resource group and any dependant resources.

Table 3-16 Resources that Support the Targets Group


Monitor Resources

Service-Email Attacks

This dashboard provides information about email attack activity. The dashboard uses the Top 10 Email Service Targets and the Email Service Attack Activity data monitors.

Dashboard ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Service Assets/

Service-Web Attacks

This dashboard provides information about web attack activity. The dashboard uses the Top 10 Web Service Targets and the Web Service Attack Activity data monitors.


Service-Database Attacks

This dashboard provides information about database attack activity. The dashboard uses the Top 10 Database Service Targets and the Database Service Attack Activity data monitors.




Service-Communications Attacks

This dashboard provides information about communications service attack activity. The dashboard uses the Top 10 Communications Service Targets and the Communications Service Attack Activity data monitors.


Critical Asset Monitoring

This resource has no description. Dashboard ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/

Service Attacks

This dashboard provides an overview on service attack activity for web, email, database, and communications services. More detailed information is available from the follow-on dashboards in the Detail/Targets/Service Assets group. This dashboard uses the Web Service Attack Activity, Email Service Attack Activity, Communications Service Attack Activity, and Database Service Attack Activity data monitors.

Dashboard ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/


This resource has no description. Dashboard ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/

Top N Attack Signatures Targeting Windows Assets

This report displays the top attack signatures (event names) seen on the network affecting assets running a Microsoft operating system.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Top and Bottom 10/

Top N Targets (Bar Chart)

This report displays the target zone name, target address, and the sum of the aggregated event count for events matching the Attack Events filter.


Recent Activity Affecting Target Assets in Scanned List

This report displays the amount and type of activity related to assets in the Scanned List active list.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Targets in Lists/

Targets in Scanned List

This report enumerates all the entries in the Scanned List active list and shows which entries have been recently modified (by comparing the creation time and last modified time).





Top Target Ports Chart

This report shows the target port and the sum of the aggregated event count for events matching the Attack Events filter where the target port is set.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/By Port or Protocol/

Target Counts by ArcSight Priority

This report displays the priority, target zone name, target address, and the sum of the aggregated event count for events matching the Attack Events filter.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Target Counts/

Target Counts by Attacker

This report displays the attacker zone name, attacker address, target zone name, target address, and the sum of the aggregated event count for events matching the Attack Events filter.


Top N Targets (Table)



Targets in Compromised List

This report displays the entries in the Compromised List active list and shows which entries have been recently modified (comparing the creation time and last modified time).


Recent Activity Affecting Target Assets in Compromised List

This report displays the customer name, zone name, address, event name, and the number of occurrences of events targeting assets in the Compromised List active list. This report is intended to show the amount and type of activity related to assets in the list.


Target Port Counts

This report displays the target zone name, the target address, the event name, and the sum of the aggregated event count for events matching the Attack Events filter where the target port is selected by the target port parameter, which defaults to 80.


Top N Targets (3D Pie Chart)






Top Targets This report displays the target zone name, target address, and the sum of the aggregated event count for events matching the Attack Events filter.


Top N Targets (Pie Chart)



Bottom N Targets

This report displays the least targeted systems of those that have been attacked.


Top N Attacked Assets in North America

This report displays the attacked assets categorized as being in North America. Note: This report does not populate all values when running in Turbo Mode Fastest.


Targets in Hit List

This report enumerates all the entries in the Hit List active list and shows which entries have been recently modified (by comparing the creation time and last modified time).


Top Alert Destinations

This report shows the top IDS and IPS alert destinations per day.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/By Device Type/IDS/

Top N Targets (Table and Chart)



By User Account - Compromised - Access

This report displays a table of events showing the Category Outcome, Target Zone Name, Target Address, Attacker User Name, Target User Name, Target Host Name, Target Process Name, and the sum of the Aggregated Event Count for events where the Attacker or Target User Name is in the Compromised User Accounts active list, the Target Address is set and the event has the Category Behavior of /Authentication/Verify.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/User Accounts/




Target Counts by Target Port

This report displays the target zone name, target address, target port, and the sum of the aggregated event count for events matching the Attack Events filter where the target port is not null.


By User Account - Compromised - All Activity

This report displays the category outcome, end time (by hour), target user name, attacker user name, target zone name, target address, and event name for events where the attacker or target user name is in the Compromised User Accounts active list.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/User Accounts/

Target Counts by Device

This report displays the device zone name, device address, target zone name, target address, and the sum of the aggregated event count for events matching the Attack Events filter.


Target Counts by Event Name

This report displays the event name, target zone name, target address, and the sum of the aggregated event count for events matching the Attack Events filter.


Recent Activity Affecting Target Assets in Hit List

This report displays the amount and type of activity related to assets in the Hit List active list.


Top N Targets (Inverted Bar Chart)




Traffic To Dark Address Space

This rule detects any traffic that targets the dark address space and adds the attacker address to the Suspicious active list.

Rule ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Targets/

Library Resources

Hit List This resource has no description. Active List ArcSight System/Targets


Compromised List





Compromised User Accounts

This resource has no description. Active List ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Targets/

Scanned List This resource has no description. Active List ArcSight System/Targets

High The disruption of access to or use of information on an information system can have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Asset Category

Site Asset Categories/Compliance Requirement/FIPS-199/Availability Criticality



Database This is a site asset category. Asset Category

Site Asset Categories/Business Impact Analysis/Business Role/Service

High The unauthorized modification of destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Asset Category

Site Asset Categories/Compliance Requirement/FIPS-199/Integrity Criticality



Microsoft This is a site asset category. Asset Category

Site Asset Categories/Operating System

Web This is a site asset category. Asset Category


Dark This is a site asset category. Asset Category


Criticality This is a system asset category. Asset Category

System Asset Categories

High This is a system asset category. Asset Category

System Asset Categories/Criticality

North America This is a site asset category. Asset Category

Site Asset Categories/Location

High The unauthorized disclosure of information can have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Asset Category

Site Asset Categories/Compliance Requirement/FIPS-199/Confidentiality Criticality




Communications



Very High This is a system asset category. Asset Category

System Asset Categories/Criticality

Critical Target Assets Port Anomalies

This data monitor does not work properly when running in Turbo Mode Fastest.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Critical Asset Monitoring/

Top 10 Email Service Targets

This data monitor displays the number of events affecting the top 10 targets in the Site Asset Categories/Business Impact Analysis/Business Role/Service/Email asset list.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Service Assets/Service-Email/

Critical Asset Group Count


Data Monitor


Critical Attacker Assets


Data Monitor


Attacks This data monitor does not work properly when running in Turbo Mode Fastest.

Data Monitor


Database Service Attack Activity

This data monitor displays the number of events affecting targets in the Site Asset Categories/Business Impact Analysis/Business Role/Service/Database asset list.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Service Assets/Service-Database/

Web Service Attack Activity

This data monitor displays the number of events affecting targets in the Site Asset Categories/Business Impact Analysis/Business Role/Service/Web asset list.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Service Assets/Service-Web Attacks/

Top Attackers Targeting Critical Assets


Data Monitor


Critical Target Assets


Data Monitor





Communications Service Attack Activity

This data monitor displays the number of events affecting targets in the Site Asset Categories/Business Impact Analysis/Business Role/Service/Communications asset List

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Service Assets/Service-Communications/

Top 10 Database Service Targets

This data monitor displays the number of events affecting the top 10 targets in the Site Asset Categories/Business Impact Analysis/Business Role/Service/Database asset list.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Service Assets/Service-Database/

Top 10 Communications Service Targets

This data monitor displays the number of events affecting the top 10 targets in the Site Asset Categories/Business Impact Analysis/Business Role/Service/Communications asset list.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Service Assets/Service-Communications/



ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Successful Inbound Attacks/

Critical Target Assets Event Graph


Data Monitor


Top 10 Web Service Targets

This data monitor displays the number of events affecting the top 10 targets in the Site Asset Categories/Business Impact Analysis/Business Role/Service/Web asset list.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Service Assets/Service-Web Attacks/

Email Service Attack Activity

This data monitor displays the number of events affecting targets in the Site Asset Categories/Business Impact Analysis/Business Role/Service/Email asset list

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Service Assets/Service-Email/



External Source



Services - Web Service

This filter identifies target asset IDs that are in the Site Asset Categories/Business Impact Analysis/Business Role/Web Service asset list.

Filter ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Targets/Business Roles/Services/




Very High Criticality Assets

This resource has no description. Filter ArcSight System/Core/Threat Level Filters

Services - Database Service

This filter identifies target asset IDs that are in the Site Asset Categories/Business Impact Analysis/Business Role/Service/Database asset list.


High Criticality Assets

This resource has no description. Filter ArcSight System/Core/Threat Level Filters

Internal Source






Inbound Attacks

This filter identifies events that have a significance of compromise or hostile, and an outcome of success that are passing into the network.


Critical Target Asset Priority gt 6

This filter identifies non-ArcSight events in which the priority is greater than 6, the attacker address is set, and the target asset ID matches either the High Criticality Assets or Very High Criticality Assets filter.

Filter ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Targets/Asset Criticality/

Critical Target Asset

This filter identifies non-ArcSight events in which the attacker address is set and the target asset ID matches either the High Criticality Assets or Very High Criticality Assets filter.


ArcSight Events


IDS -IPS Events



Inbound Events



Attacks Targeting Assets

This resource has no description. Filter ArcSight Foundation/Intrusion Monitoring/Attack Monitoring/Targets/




Critical Asset (High or Very High) Target Port Not Null

This filter identifies non-ArcSight events in which the target port is set and the target asset ID matches either the High Criticality Assets or Very High Criticality Assets filter.


Critical Attacker Assets Priority gt 6

This filter identifies events in which the priority is greater than 6 and the attacker asset ID is in one of the following groups: /All Asset Categories/Site Asset Categories/Compliance Requirement/FIPS-199/Availability Criticality/High /All Asset Categories/Site Asset Categories/Compliance Requirement/FIPS-199/Confidentiality Criticality/High /All Asset Categories/Site Asset Categories/Compliance Requirement/FIPS-199/Integrity Criticality/High /All Asset Categories/System Asset Categories/Criticality/High /All Asset Categories/System Asset Categories/Criticality/Very High.


Services - Communications Service

This filter identifies target asset IDs that are in the Site Asset Categories/Business Impact Analysis/Business Role/Service/Communications asset list.


Services - Email Service

This filter identifies the target asset IDs that are in the Site Asset Categories/Business Impact Analysis/Business Role/Service/Email asset list.


Non-ArcSight Events


Top 10 Targets This report shows the top 10 targets in a chart.

Focused Report

ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/By Device Type/IDS/

Targets in Scanned List

This query returns the customer name, zone name, address, creation time, and last modified time of entries in the Scanned List active list.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Targets in Lists/




Top 10 Attacked Assets in North America

This query returns the target zone and target asset name from events where the event is an attack event and the target asset ID is in /All Asset Categories/Site Asset Categories/Location/North America. Note: This query does not populate all values when running in Turbo Mode Fastest.


By User Account - Compromised - Access

This query returns the category outcome, target zone name, target address, attacker user name, target user name, target host name, target process name, and the sum of the aggregated event count for events where the attacker or target user name is in the Compromised User Accounts active list, the Target Address is set, and the event has the category behavior /Authentication/Verify.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/User Accounts/

Target Counts by ArcSight Priority

This query returns the priority, target zone name, target address and the sum of the aggregated event count for events matching the Attack Events filter.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/Target Counts/

Top 10 Attack Signatures targeting Windows Assets

This query returns the top attack signatures (event names) on the network affecting assets running a Microsoft operating system.


Targets in Hit List

This query returns the customer name, zone name, address, creation time, and last modified time of entries in the Hit List active list.


Top Alert Destinations

This query returns the count of IDS and IPS alerts by destination address, zone, device vendor, and device product.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/By Device Type/IDS/

Top 10 Targets This query returns the target zone name, target address, and the sum of the aggregated event count for events matching the Attack Events filter used in the following reports: Top N Targets, Top N Targets (3D Pie Chart), Top N Targets (Bar Chart), Top N Targets (Inverted Bar Chart), Top N Targets (Pie Chart), Top N Targets (Table and Chart), and Top N Targets (Table).





Bottom 10 Targets

This query returns the target zone name, target address, and the sum of the aggregated event count for events matching the Attack Events filter.


Recent Activity Affecting Target Assets in Scanned List

This query returns events targeting assets in the Scanned List active list, selecting the customer name, zone name, address, event name, and a count of the events.


Target Port Counts

This query returns the target zone name, target address, event Name, and the sum of the aggregated event count for events matching the Attack Events filter where the target port is selected by the Target Port parameter, which defaults to 80.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/By Port or Protocol/

Recent Activity Affecting Target Assets in Compromised List

This query returns events targeting assets in the Compromised List active list, selecting the customer name, zone name, address, event name, and a count of the events.


By User Account - Compromised - All Activity

This query returns the category outcome, end time (by Hour), target user name, attacker user name, target zone name, target address, and event name for events where the attacker or target user name is in the Compromised User Accounts active list.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Attack Monitoring/Targets/User Accounts/

Target Counts by Attacker

This query returns the attacker zone name, attacker address, target zone name, target address and the sum of the aggregated event count for events matching the Attack Events filter.


Targets in Compromised List

This query returns the customer name, zone name, address, creation time, and last modified time of entries in the Compromised List active list.


Target Counts by Target Port

This query returns the target zone name, target address, target port and the sum of the aggregated event count for events matching the Attack Events filter where the target port is not null.





Target Counts by Device

This query returns the device zone name, device address, target zone name, target address and the sum of the aggregated event count for events matching the Attack Events filter.


Top Target Ports Chart

This query returns the target port and the sum of the aggregated event count for events matching the Attack Events filter where the target port is set.


Target Counts by Event Name

This query returns the event name, target zone name, target address and the sum of the aggregated event count for events matching the Attack Events filter.


Recent Activity Affecting Target Assets in Hit List

This query returns events targeting assets in the Hit List active list, selecting the customer name, zone name, address, event name, and a count of the events.





Vulnerability ViewThe Vulnerability View resources provide information about assets and their vulnerabilities, with an active channel that focuses on vulnerability scanner reports. These resources present two major reports that are a variation on the list of assets and the list of vulnerabilities.

Running the scanner reports can produce reams of output. Scanner reports are considered sensitive, so not every user should have access to these resources. For tips on restricting access to these resources, see “Restricting Access to Vulnerability View Reports” on page 15.

DevicesThe following device types can supply events that apply to the Vulnerability View resource group:

Firewalls




ResourcesThe following table lists all the resources in the Vulnerability View resource group and any dependant resources.

Table 3-17 Resources that Support the Vulnerability View Group


Monitor Resources

Vulnerability Events

This active channel shows events received during the last two hours. The active channel includes a sliding window that displays the last two hours of event data. A filter prevents the channel from showing events that contributed to the triggering of a rule, commonly referred to as correlated events.

Active Channel

ArcSight Foundation/Intrusion Monitoring/Vulnerability View/

Vulnerability Scanner Events

This active channel shows the events selected by the Scanner Events filter over the last hour, using the Vulnerability Scanner field set, which shows the description of the scanner event, the zone and address of the asset for which the vulnerability is being reported, and the scanner information, vendor, product and scanning host, reporting the vulnerability for that asset.

Active Channel

ArcSight Foundation/Intrusion Monitoring/Vulnerability View/



Asset Vulnerability List

This report displays each asset (by zone) and all the vulnerabilities that have been reported for the asset. Note: This is an exhaustive list that can get extremely large.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Vulnerability View/

Daily Top 10 Vulnerabilities in Events Trend

This report shows the top 10 most frequently detected vulnerabilities per day for the last seven days (by default). A line chart shows the count of each vulnerability exploit attempt per day. A line crossing several days indicates that the exploit was attempted several times each day. Single points are indicative of frequent exploit attempts that either occurred only on that day or were overshadowed by the volume of other exploit attempts on the other days. The table shows the same data as the chart in a reference format.

Report ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Vulnerability View/

Vulnerabilities in Events by Zone

This report shows the vulnerability event counts seen on the network, by zone and shows a breakdown of the events by priority.


Top Vulnerabilities in Events Trend

This report displays the most frequent vulnerability exploit attempts on the network showing the vulnerabilities that are being targeted across the network in the last day or so. Use this report to gain a better understanding of the current threat activity.


Vulnerabilities and Assets

This report shows each vulnerability that has been reported for any asset and all the assets, by zone, affected by the vulnerability. Note: This is an exhaustive list that can get extremely large.

Report ArcSight Foundation/Intrusion Monitoring/Detail/Vulnerability View/

Top N Vulnerabilities on Assets

This report displays the most frequent vulnerability exploit attempts against the network. This data is collected from the Asset Counts by Vulnerability trend. This trend is a snapshot trend of the assets taken once per week.





Library Resources

Vulnerability This field set shows the following columns: End Time, Name, Attacker Address, Target Address, Priority, Vulnerability Resource, Device Vendor, Device Product.


Vulnerability Scanner

This field set shows the following columns: End Time, Name, Target Zone Resource, Target Address, Priority, Device Vendor, Device Product, Device Host Name.


Scanner Events

This filter identifies events from network vulnerability scanners, where the events are defined as: Category Behavior = /Found/Vulnerable, Category Device Group = /Assessment, Tools Category Technique StartsWith /Scan, Category Technique Contains vulnerability. This filter is used by the Vulnerability Scanner Events active channel.


Events with Vulnerabilities

This filter identifies events in which the vulnerability field has been populated. The vulnerability field is populated when an event that attempts to exploit the vulnerability targets an asset that has had that vulnerability reported by a security scanner.


Vulnerabilities and Assets

This query returns the vulnerability, the asset zone, the asset address, the asset ID, the asset host name, and the count of the asset ID to get an exhaustive list of the assets and associated vulnerabilities. The asset ID count is used to retrieve assets that might not yet have any vulnerabilities reported. This query is used by the Asset Vulnerability Lists and Vulnerabilities and Assets reports, to provide two different views of the assets and vulnerabilities. Schedule the reports to run periodically to track changes in assets.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Vulnerability View/




Vulnerabilities in Events by Zone (Chart Query)

This query returns the zone, vulnerability name, and sums the aggregated event count for events matching the Events with Vulnerabilities filter to provide data for the Top N Vulnerabilities by Zone chart in the Vulnerabilities in Events by Zone report.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Vulnerability View/

Top 10 Daily Vulnerabilities in Events on Trend

This query on the Prioritized Vulnerability Events by Zone trend retrieves the top 10 daily vulnerability events (by sum of the aggregated event count) each day. The data is used to populate the Top 10 Daily Vulnerability Events trend.

Query ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Vulnerability View/Trend Queries/

Prioritized Vulnerabilities in Events by Zone

This query returns the zone, vulnerability name, priority, and sums the aggregated event count for events matching the Events with Vulnerabilities filter to provide data for the Top N Vulnerabilities by Zone with Priority table in the Vulnerabilities in Events by Zone report. This query also provides data for the Prioritized Vulnerability Events by Zone trend.


Vulnerabilities (by Asset Counts) on Trend

This query on the Asset Counts by Vulnerability trend returns the vulnerability and the sum of the assets affected by the vulnerability for the Top N Vulnerabilities on Assets report.


Assets Counts by Vulnerability Trend

This query populates the Asset Counts by Vulnerability trend. It collects the vulnerability and the number of assets for which the vulnerability is reported. The query returns the most widely reported vulnerabilities in descending order, to show the most common vulnerabilities exposed on the network.


Top N Vulnerabilities in Events on Trend

This query polls the Prioritized Vulnerability Events by Zone trend, returning the vulnerability name and the sum of the aggregated event count for use in the Top Vulnerabilities in Events Trend report.





Top 10 Daily Vulnerability Events on Trend

This query on the Top 10 Daily Vulnerability Events trend returns the date via a dependent variable (dvDate), and the sum of the aggregated event count for use in the Daily Top 10 Vulnerabilities in Events Trend report. The Top 10 Daily Vulnerability Events trend includes only 10 events per day, and setting the row limit for this trend by a multiple of 10 will provide data for that many days. For example, setting the row limit to 70 will give the top 10 vulnerabilities per day for the last seven days.


Prioritized Vulnerability Events by Zone

This trend stores the target zone name, the vulnerability name, the priority, and the sum of the aggregated event count to determine the top vulnerability events in a given time period. The trend runs queries once a day, collecting the top 1000 events. This allows the determination of the top 10 most frequent vulnerability exploit attempts per day, and can give a reasonable view of the top 10 attempts for the past week, or possibly the last month.

Trend ArcSight Foundation/Intrusion Monitoring/Operational Summaries/Vulnerability View/

Top 10 Daily Vulnerability Events

This trend collects daily information on the top 10 vulnerabilities of the previous day. The trend uses the Top 10 Daily Vulnerabilities in Events on Trend query to retrieve the top 10 events from the Prioritized Vulnerability Events by Zone trend for use in the Daily Top 10 Vulnerabilities in Events Trend report. The trend query is set up to only retrieve the top 10 vulnerabilities, once per day.





Asset Counts by Vulnerability

This trend collects the top 1000 vulnerabilities reported affecting the most assets on the network to give a view of which vulnerabilities represent the highest risk, by vulnerability exposure, on a weekly basis (assuming that the vulnerability scanner is scanning once per week). Adjust the timing of this trend and the report time range for more accuracy. A count with a blank vulnerability means that a number of assets do not have any vulnerabilities associated with them. You can locate these assets by reviewing the Vulnerabilities and Assets report (the blank vulnerability should have the zones, addresses, and host names of the assets with no reported vulnerabilities listed at the end of the report).





Worm OutbreakThe Worm Outbreak resources provide information about worm activity and the affect a worm has had on the network.

DevicesThe following device types can supply events that apply to the Worm Outbreak resource group:

Firewalls



Operating systems


Anti-virus Systems

ResourcesThe following table lists all the resources in the Worm Outbreak resource group and any dependant resources.

Table 3-18 Resources that Support the Worm Outbreak Group


Monitor Resources

Worm Outbreak

This dashboard provides a view of worm activity across the network.

Dashboard ArcSight Foundation/Intrusion Monitoring/Detail/Worm Outbreak/

Worm Outbreak Overview

This dashboard provides a view of worm activity across the network.


Worm Spread Geo View

This dashboard displays a world map showing worm activity affecting the network.





This report presents a table of systems that have been infected by a worm. The table is sorted by the Attacker Zone Name, then by the Attacker Host Name and finally by the Attacker Address (for cases where the system does not have a host name). You can change the start and end times of the event query, and the row limit (to show more or fewer systems). You can also use the Filter By parameter to create an additional filter to limit the report to specific systems. Changing the Filter By parameter causes the query to select events that match both the selected filter and the Worm Traffic filter (Worm Traffic AND <selected filter>).

Report ArcSight Foundation/Intrusion Monitoring/Detail/Worm Outbreak/


Worm Outbreak Detected

This rule is looking for both the Possible Network Sweep rule to trigger and the Target Port Activity by Attacker data monitor to trigger a correlation event that indicates an increase in target port activity by one attacker of more than 100%. Joining the attackers and target ports from these two correlation events determines that the attacker has shown an increase in target port traffic to multiple hosts, not just a two-way communication with a single host. This behavior is indicative of a worm infected system.

Rule ArcSight Foundation/Intrusion Monitoring/Worm Outbreak/

Blaster DDOS From Infected Host

This rule detects a Distributed Denial Of Service (DDOS) attack (Blaster) originating from an infected host. This rule detects DoS events targeting a windowsupdate.com host, either coming from a host in the Attackers/Untrusted List active list or from a host in the Targets/Compromised List active list. This means that a compromised target could be acting as an attacker. In this case, this host is infected. This rule only requires one such event, and the time frame is set to two minutes. After this rule is triggered, the categoryOutcome field is set to Success and the categorySignificance field is set to Hostile.





Blaster Infected Host

This rule detects infected hosts by a Blaster worm. This rule looks for 2 events. The first event, the ExploitEvent, targets one of the following ports: 135, 139 or 445. The second event, the TftpEvent, targets the port 69 and uses UDP. Neither event comes from a host in the Attackers/Trusted List active list. To have a matching event, the Attacker-Target pair in the first event should match the swapped Target-Attacker pair in the second event. This rule requires one matching occurrence, and the time frame is set to two minutes. On the first occurrence, a notification is sent to the Analysts, the target of ExploitEvent will be added in the Worm Infected Systems active list. The correlation event from the rule triggering will be caught by the Hostile - Success rule.


Possible Internal Network Sweep

This rule detects a single host trying to communicate with at least 10 other hosts on the same target port within the network, within a minute. This rule, combined with a spike in target port activity by the same host, results in the worm outbreak detected rule being triggered.


Possible Outbound Network Sweep

This rule detects a single host trying to communicate with at least 10 other hosts on the same target port outside the network within a minute. This rule, combined with a spike in target port activity by the same host, results in the worm outbreak detected rule being triggered.


Library Resources

Compromised List



This resource has no description. Active List ArcSight Foundation/Intrusion Monitoring/Worm Outbreak/








Domain Name Server





Proxy This is a site asset category. Asset Category


Worm Propagation by Host

This data monitor shows the spread of worm activity throughout the network.

Data Monitor


Worm Propagation by Zone

This data monitor shows the spread of worms across network zones.

Data Monitor



This data monitor displays the status of systems that have been infected in the course of a worm outbreak.

Data Monitor


Worm Spread This data monitor tracks worm activity affecting the network for display on a world map.

Data Monitor

ArcSight Foundation/Intrusion Monitoring/Detail/Worm Outbreak/Worm Spread Geo View/

Worm Activity Status

This data monitor shows the most recent events related to worm activity in the network zones.

Data Monitor


Target Port Activity by Attacker

This data monitor is used in conjunction with the Worm Outbreak detected rule and the possible network sweep rule to detect worm outbreaks before an IDS signature is released.

Data Monitor


Worm Outbreak

This filter retrieves events with the name Worm Outbreak Detected and type Correlation.


Target Port Activity By Attacker

This resource has no description. Filter ArcSight Foundation/Intrusion Monitoring/Worm Outbreak/




Worm Geo Filter

This filter is used by the Worm Spread data monitor in the Worm Spread Geo View dashboard to graph worm related events between systems on a world map. Worm related events are defined here as a category object of /Vector/Worm or /Host/Infection/Worm, or a category technique of /Code/Worm. For the event to be graphed, either the attacker or the target systems need to have their geographic longitudes and latitudes set (they must be NOT NULL).



This resource has no description. Filter ArcSight Foundation/Intrusion Monitoring/Worm Outbreak/

Internal to Internal Events

This filter retrieves events internal to the company network.


Worm Traffic This resource has no description. Filter ArcSight Foundation/Intrusion Monitoring/Worm Outbreak/

External Target



Outbound Events

This filter identifies events originating from inside the company network, targeting the outside network.


Internal Source






Worm Activity This resource has no description. Filter ArcSight Foundation/Intrusion Monitoring/Worm Outbreak/


This query returns the attacker zone name, attacker host name, and attacker address from events matching the Worm Traffic filter.

Query ArcSight Foundation/Intrusion Monitoring/Detail/Worm Outbreak/



Index

AAccess Active Sessions query 116Access Activity report 111Access Attempts by Resource query 117Access Closed Sessions query 116Access Events by Database Resource report 110Access Events by Email Resource report 112Access Events by File Resource report 111Access Events by Resource report 112Access Initiation Events active channel 109Access Initiation Events filter 115Access Termination Events active channel 110Access Termination Events filter 115Access to Database Resources filter 114Access to Email Resources filter 114Access to File Resources filter 114ActingUser global variable 82active channels

Access Initiation Events 109Access Termination Events 110All Access and Authentication Events 110Application Overview 66Business and Data Roles 55Business Roles - Last Hour 54Business Roles - Today 55Data Roles - Last Hour 56Data Roles - Today 56DoS Channel 59Intrusion Monitoring - Significant Events 145Operating System Overview 67Reconnaissance Activity 96Service Overview 66Vulnerability Events 168Vulnerability Scanner Events 168

active listsCompromised List 48, 159, 176Compromised User Accounts 48, 160Event-based Rule Exclusions 48, 62general configuration 13, 15Hit List 48, 159Hostile List 48, 99Infiltrators List 48Reconnaissance List 99Repetitive Firewall Block List 49Scanned List 99, 160Suspicious List 48, 99, 159Trusted List 48, 61, 99, 114, 142, 176Untrusted List 48, 99, 176User-based Rule Exclusions 48, 79Windows Created Accounts 49, 80Windows Locked Out Accounts 48, 79

Windows Login Count 48, 80Worm Infected Systems 114, 176

Address Spaces asset category 147Alert Counts by Device query 20Alert Counts by Device report 19Alert Counts by Port query 20Alert Counts by Port report 19Alert Counts by Severity (Chart) query 20Alert Counts by Severity query 20Alert Counts by Severity report 20Alert Counts by Type query 20Alert Counts by Type report 20Alert Counts per Hour query 21Alert Counts per Hour report 19Alerts from IDS-IPS resource group 19All Access and Authentication Events active channel 110All Access and Authentication Events filter 115All Events filter 20, 25, 49, 57, 83, 107, 114, 120, 125, 143, 151, 163, 178Anti-Virus Activity and Status resource group 22Anti-Virus Errors filter 24Anti-Virus Errors query 26Anti-Virus Events filter 24Anti-Virus Overview dashboard 22Application Brute Force Logins rule 44Application Event Counts data monitor 69Application Overview active channel 66Application Protocol Event Counts data monitor 149Application Protocol is not NULL filter 34, 63, 69, 142ArcSight Administration

overview 7ArcSight Events filter 49, 151, 163ArcSight Foundations overview 7ArcSight Internal Events filter 57, 64, 70, 85, 100, 143, 152ArcSight System

overview 7ArcSight System Administration asset category 62ASM Events filter 57, 64, 70, 83, 101, 143, 151asset categories

Address Spaces 147ArcSight System Administration 62Business Impact Analysis 57Business Role 57, 99, 147Communications 161Compliance Requirement 107Criticality 160Dark 49, 160Data Role 57, 147Database 160Development 148


Index

Domain Name Server 177Email 142, 160, 176Exchange 142High 160Infrastructure 148Location 147Microsoft 142, 160North America 160Operating System 68, 142Operations 147Protected 49, 62, 68, 99, 142, 147, 160, 177Proxy 177Revenue Generation 120, 147Role 147Sarbanes-Oxley 107Security Devices 147Service 147Very High 161Vulnerabilities 142Web 160

Asset Counts by Vulnerability trend 173Asset Vulnerability List report 169Assets Counts by Vulnerability Trend query 171Attack Counts by Service Query on Trend query 35Attack Counts by Target Zone Query on Trend query 34Attack Events filter 49, 57, 107, 120, 124, 150, 162Attack from Source having Reconnaissance History rule99Attack From Suspicious Source rule 45Attack Rates by Attacker Zone and Customer data mon-itor 31Attack Rates by Attacker Zone data monitor 32Attack Rates by Service and Customer data monitor 30Attack Rates by Service and Zones dashboard 28Attack Rates by Service dashboard 29Attack Rates by Service data monitor 30Attack Rates by Targeted Zone and Customer data mon-itor 32Attack Rates by Targeted Zone data monitor 30Attack Rates by Zones dashboard 27Attack Rates resource group 27Attacked or Compromised Systems dashboard 146Attacked or Compromised Systems data monitor 148Attacked or Compromised Systems filter 151Attacker Counts by ArcSight Priority query 51Attacker Counts by ArcSight Priority report 39Attacker Counts by Attacker Port query 53Attacker Counts by Attacker Port report 38Attacker Counts by Device query 52Attacker Counts by Device report 40Attacker Counts by Target Port query 50Attacker Counts by Target Port report 40Attacker Counts By Target query 52Attacker Counts By Target report 38Attacker Port Counts query 51Attacker Port Counts report 39Attacker User ID is NULL filter 84Attacker User Name and ID are NULL filter 85Attacker User Name is NULL filter 84Attacker Zones by Service and Customer data monitor 30Attacker Zones by Service data monitor 33Attackers resource group 37AttackerUser global variable 82Attacks data monitor 161Attacks Targeting Assets filter 163

Authentication Failures by Destination data monitor 81Authentication Failures by Source data monitor 80AV - Failed Updates filter 25AV - Found Infected filter 24

BBlaster DDOS From Infected Host rule 175Blaster Infected Host rule 176Bottom 10 Attack Sources query 53Bottom 10 Attackers query 50Bottom 10 Targets query 166Bottom N Attack Sources report 40Bottom N Attackers report 39Bottom N Targets report 158Brute Force Access Active Sessions on Trend query 116Brute Force Access Active Sessions query 116Brute Force Access Activity report 111Brute Force Access Closed Sessions on Trend query 115Brute Force Access Closed Sessions query 117Brute Force Access Session Trends trend 118Brute Force Access Sessions Trend query 116Brute Force Logins rule 41Brute Force Resource Access Initiation rule 114Brute Force Resource Access session list 117Brute Force Session Trends report 110Business and Data Roles active channel 55Business Impact Analysis asset category 57Business Impact Analysis field set 57, 150Business Impact Analysis resource group 54Business Impact Analysis use case 154Business Impact by Location - Successful Attacks data monitor 150Business Impact by Location dashboard 147Business Impact by Role - Successful Attacks data mon-itor 150Business Impact by Role dashboard 146Business Role - Attempted Attacks query 58Business Role - Attempted Attacks report 56Business Role - Development and Operations filter 151Business Role - Infrastructure filter 152Business Role - Revenue Generation filter 152Business Role - Security Devices filter 152Business Role - Service filter 151Business Role - Successful Attacks query 58Business Role - Successful Attacks report 56Business Role asset category 57, 99, 147Business Roles - Last Hour active channel 54Business Roles - Today active channel 55Business Roles dashboard 146Business Roles Scanned query 102By User Account - Compromised - Access query 165By User Account - Compromised - Access report 158By User Account - Compromised - All Activity query 166By User Account - Compromised - All Activity report 159

CClosed Connection Durations query 93Closed VPN Connection Durations query 51Communications asset category 161Communications Service Attack Activity data monitor162Compliance Requirement asset category 107Compromised List active list 48, 159, 176


Index

Compromised User Accounts active list 48, 160configuration

active lists 13, 15Connection Counts by User report 38, 76Connection Durations by User report 76content packages 8Critical Asset (High or Very High) Target Port Not Null fil-ter 164Critical Asset Group Count data monitor 161Critical Asset Monitoring dashboard 156Critical Attacker Assets data monitor 161Critical Attacker Assets Priority gt 6 filter 164Critical Target Asset filter 163Critical Target Asset Priority gt 6 filter 163Critical Target Assets data monitor 161Critical Target Assets Event Graph data monitor 162Critical Target Assets Port Anomalies data monitor 161Criticality asset category 160Current Environment Status Overview dashboard 67Customer Attack Rates by Service and Zones dashboard28Customer Attack Rates by Service dashboard 28Customer Attack Rates by Zones dashboard 29

DDaily Port Scanning Activity on Trend (Chart Query) que-ry 103Daily Port Scanning Activity on Trend query 103Daily Scanning Events by Business Role on Trend query104Daily Top 10 Resource Access on Trend query 115Daily Top 10 Resource Access Trends report 113Daily Top 10 Resource Access Trends trend 118Daily Top 10 Vulnerabilities in Events Trend report 169Dark asset category 49, 160dashboards

Anti-Virus Overview 22Attack Rates by Service 29Attack Rates by Service and Zones 28Attack Rates by Zones 27Attacked or Compromised Systems 146Business Impact by Location 147Business Impact by Role 146Business Roles 146Critical Asset Monitoring 156Current Environment Status Overview 67Customer Attack Rates by Service 28Customer Attack Rates by Service and Zones 28Customer Attack Rates by Zones 29Executive View 146Firewall Login Overview 75Identity Management Overview 75Inbound Event Spikes 60Network Login Overview 74Operating System Login Overview 75Reconnaissance Graph 96Reconnaissance in Progress 96Security Activity Statistics 146Service Attacks 156Service-Communications Attacks 156Service-Database Attacks 155Service-Email Attacks 155Service-Web Attacks 155Successful Inbound Attacks 156

Top 10 Attack Rate Statistics by Service 27Top 10 Attack Rate Statistics by Service and Zones

29Top 10 Attack Rate Statistics by Zones 28Top 10 Customer Attack Rate Statistics by Service

28Top 10 Customer Attack Rate Statistics by Service

and Zones 28Top 10 Customer Attack Rate Statistics by Zones 29Virus Activity Overview 22Virus Activity Statistics 22VPN Login Overview 74Worm Infected Systems 146Worm Outbreak 174Worm Outbreak Overview 174Worm Spread Geo View 174

data monitorsApplication Event Counts 69Application Protocol Event Counts 149Attack Rates by Attacker Zone 32Attack Rates by Attacker Zone and Customer 31Attack Rates by Service 30Attack Rates by Service and Customer 30Attack Rates by Targeted Zone 30Attack Rates by Targeted Zone and Customer 32Attacked or Compromised Systems 148Attacker Zones by Service 33Attacker Zones by Service and Customer 30Attacks 161Authentication Failures by Destination 81Authentication Failures by Source 80Business Impact by Location - Successful Attacks

150Business Impact by Role - Successful Attacks 150Communications Service Attack Activity 162Critical Asset Group Count 161Critical Attacker Assets 161Critical Target Assets 161Critical Target Assets Event Graph 162Critical Target Assets Port Anomalies 161Database Service Attack Activity 161Email Service Attack Activity 162Event Counts by Hour 149Events per Address Space 148Firewall Accepts 63Inbound Event Spikes for Hosts 62Inbound Event Spikes for Networks 63Inbound Event Spikes for Services 62Last 10 Anti-Virus Errors 24Last 10 Failed Login Events 80, 81Last 10 Hosts Scanned 99Last 10 Scanners 100Last 10 Successful Login Events 80, 81, 82Last 10 Zones Scanned 100Login Results 81Operating Systems Event Counts 69Recent Events 149Reconnaissance Graph 100Service Event Counts 68Status by Business Role 149Status by Development and Operations Roles 148Status by Infrastructure Role 148Status by Revenue Generation Role 150Status by Security Device Role 149Status by Service Role 150


Index

Successful Inbound Attacks 149, 162Target Port Activity by Attacker 177Targeted Zones by Service 33Targeted Zones by Service and Customer 31Top 10 Anti-Virus Errors 23Top 10 Application Events 68Top 10 Attacked Services 32Top 10 Attacker Zones 32Top 10 Attacker Zones by Customer 33Top 10 Attacker Zones by Service 31Top 10 Attacker Zones by Service and Customer 33Top 10 Communications Service Targets 162Top 10 Database Service Targets 162Top 10 Email Service Targets 161Top 10 Infected Systems 23Top 10 Infections 23Top 10 Operating System Events 69Top 10 Service Events 68Top 10 Targeted Services by Customer 33Top 10 Targeted Zones 33Top 10 Targeted Zones by Customer 32Top 10 Targeted Zones by Service 31Top 10 Targeted Zones by Service and Customer 31Top 10 Users With Failed Logins 80, 81, 82Top 10 Web Service Targets 162Top 10 Zones Scanned 100Top Attacker IPs 148Top Attackers Targeting Critical Assets 161Top Categories 150Top Connectors 148Top Target IPs 149Top Transport Protocols 150Top Users by Connection Count 81Top Users by Login Activity 80Virus Activity 23Virus Activity by Host 24Virus Activity by Zone 24Web Service Attack Activity 161Worm Activity Status 177Worm Infected Machines 149Worm Infected Systems 149, 177Worm Propagation by Host 177Worm Propagation by Zone 177Worm Spread 177

Data Role asset category 57, 147Data Roles - Last Hour active channel 56Data Roles - Today active channel 56Database asset category 160Database Events filter 84Database Resource Access by Users report 111Database Service Attack Activity data monitor 161Denied Inbound Connections by Address query 52Denied Inbound Connections by Address report 39Denied Inbound Connections by Port query 51Denied Inbound Connections by Port report 40Denied Inbound Connections per Hour (Chart) query 53Denied Inbound Connections per Hour query 51Denied Inbound Connections per Hour report 38Denied Outbound Connections by Address query 52Denied Outbound Connections by Address report 39Denied Outbound Connections by Port query 52Denied Outbound Connections by Port report 37Denied Outbound Connections per Hour (Chart) query53Denied Outbound Connections per Hour query 52

Denied Outbound Connections per Hour report 38Development asset category 148Device SNMP Authentication Failures by User query 93Device SNMP Authentication Failures query 94Device SNMP Authentication Failures report 75Domain Name Server asset category 177DoS Channel active channel 59DoS resource group 59

EEmail asset category 142, 160, 176Email Resource Access by Users report 111Email Service Attack Activity data monitor 162Environment State resource group 66Environment State use case 153Environment Status Events - Trend query 72Environment Status Events over the Last 24 Hours (Chart Query) query 73Environment Status Events over the Last 24 Hours report67Environment Status Events trend 73Errors Detected in Anti-Virus Deployment report 23Event Counts by Hour data monitor 149Event-based Rule Exclusions active list 48, 62Events for Internal Applications excluding services filter70Events for Internal Operating Systems filter 71Events for Internal Services filter 70Events per Address Space data monitor 148Events with Vulnerabilities filter 170Exchange asset category 142Executive View dashboard 146External Source filter 49, 151, 162External Target filter 50, 143, 178

FFailed Anti-Virus Updates Chart query 25Failed Anti-Virus Updates query 25Failed Anti-Virus Updates report 23Failed Firewall Login Events filter 84Failed Identity Management Login Attempts filter 85Failed Login Attempts (Chart) query 93Failed Login Attempts focused report 85, 87Failed Login Attempts query 92Failed Login Attempts report 75Failed Login by User (Chart) query 92Failed Login by User query 92Failed Login Events filter 83Failed Logins by Destination Address (Chart) query 91Failed Logins by Destination Address focused report 86, 87, 88, 91Failed Logins by Destination Address report 76Failed Logins by Source Address (Chart) query 93Failed Logins by Source Address focused report 85, 89, 90, 91Failed Logins by Source Address report 77Failed Logins by Source-Destination Pair query 93Failed Logins by User focused report 86, 88, 89, 90, 91Failed Logins by User report 76Failed Logins per Day query 127Failed Logins per Hour query 125, 126Failed Logins per Hour trend 128Failed Network Login Events filter 83


Index

Failed Operating System Login Events filter 83Failed VPN Login Events filter 84field sets

Business Impact Analysis 57, 150Resource Access 114Status Overview 69Vulnerability 170Vulnerability Scanner 170

File Resource Access by Users report 112filters

Access Initiation Events 115Access Termination Events 115Access to Database Resources 114Access to Email Resources 114Access to File Resources 114All Access and Authentication Events 115All Events 20, 25, 49, 57, 83, 107, 114, 120, 125,

143, 151, 163, 178Anti-Virus Errors 24Anti-Virus Events 24Application Protocol is not NULL 34, 63, 69, 142ArcSight Events 49, 151, 163ArcSight Internal Events 57, 64, 70, 85, 100, 143,

152ASM Events 57, 64, 70, 83, 101, 143, 151Attack Events 49, 57, 107, 120, 124, 150, 162Attacked or Compromised Systems 151Attacker User ID is NULL 84Attacker User Name and ID are NULL 85Attacker User Name is NULL 84Attacks Targeting Assets 163AV - Failed Updates 25AV - Found Infected 24Business Role - Development and Operations 151Business Role - Infrastructure 152Business Role - Revenue Generation 152Business Role - Security Devices 152Business Role - Service 151Critical Asset (High or Very High) Target Port Not

Null 164Critical Attacker Assets Priority gt 6 164Critical Target Asset 163Critical Target Asset Priority gt 6 163Database Events 84Events for Internal Applications excluding services

70Events for Internal Operating Systems 71Events for Internal Services 70Events with Vulnerabilities 170External Source 49, 151, 162External Target 50, 143, 178Failed Firewall Login Events 84Failed Identity Management Login Attempts 85Failed Login Events 83Failed Network Login Events 83Failed Operating System Login Events 83Failed VPN Login Events 84Firewall Accepts 63Firewall Events 65, 84Firewall Login Events 84High Criticality Assets 163Identity Management Connection Start Events 82Identity Management Events 85IDS -IPS Events 20, 50, 64, 124, 163Inbound Attacks 151, 163

Inbound Events 50, 152, 163Inbound Events for Hosts 64Inbound Events for Networks 64Inbound Events for Service 63Internal Source 49, 143, 151, 163, 178Internal Target 49, 64, 70, 101, 143, 151, 163,

178Internal to Internal Events 178LockedCount is NULL 83Login Events 82LoginCount is NULL or 0 84Network Events 82Network Login Events 84Non-ArcSight Events 50, 152, 164Non-ArcSight Internal Events 57, 64, 70, 85, 100,

143, 152Not Correlated and Not Closed and Not Hidden 100Operating System Events 85Operating System Login Events 83Outbound Events 49, 178Possible Attack Events 34, 63Reconnaissance Events (Internal Targets) 101Reconnaissance Events by Attacker 100Reconnaissance Events by Target 100Reconnaissance Events by Target Zone 100Scanner Events 125, 170Services - Communications Service 164Services - Database Service 163Services - Email Service 164Services - Web Service 162Status by Business Role 151Successful Attacks 57, 152Successful Firewall Login Events 85Successful Inbound DoS Events - Trend Filter 64,

142Successful Login Events 83Successful Network Login Events 83Successful Operating System Login Events 83Successful VPN Login Events 84Successful Windows Login 49, 84Successful Windows Logout 82Target Address is NULL 24Target Asset has Asset Name 64, 70, 143Target Asset has OS Categorization 70Target Host Name is NULL 24Target Object starts with Host Application 70Target Port Activity By Attacker 177Target Port is not NULL 34, 64, 70, 142Target Service Name is not NULL 34, 64, 70, 143Target User ID is NULL 49, 83Target User Name is NULL 85Target Zone is NULL 25Targeted Business Impact Analysis 57Transport Protocol is not NULL 34, 65, 70, 143Update Events 25Very High Criticality Assets 163Virus Activity 24VPN Events 82VPN Login Events 83Worm Activity 178Worm Geo Filter 178Worm Infected Systems 178Worm Outbreak 150, 177Worm Traffic 152, 178

Firewall - Application Protocol Scan rule 98


Index

Firewall - High Volume Accepts rule 44Firewall - Host Port Scan rule 98Firewall - Network Port Scan rule 99Firewall - Pass After Repetitive Blocks rule 42Firewall - Repetitive Block - In Progress rule 42Firewall Accepts data monitor 63Firewall Accepts filter 63Firewall Events filter 65, 84Firewall Login Events filter 84Firewall Login Overview dashboard 75focused reports

Failed Login Attempts 85, 87Failed Logins by Destination Address 86, 87, 88, 91Failed Logins by Source Address 85, 89, 90, 91Failed Logins by User 86, 88, 89, 90, 91Login Event Audit 87, 89, 90Successful Logins by Destination Address 87, 88Successful Logins by Source Address 85, 86, 89, 90Successful Logins by User 86, 87, 88, 90Top 10 Alerts 20Top 10 Attackers 50Top 10 Targets 164Top 5 IDS Signatures per Day (Snort-Snort) 125Top 5 Signatures per Day (CISCO-CiscoSecureIDS)

125Top Hosts by Number of Connections 86, 89

Gglobal variables

ActingUser 82AttackerUser 82TargetUser 82

HHigh asset category 160High Criticality Assets filter 163High Number of IDS Alerts for Backdoor rule 42High Number of IDS Alerts for DoS rule 61Hit List active list 48, 159Hostile List active list 48, 99

IIdentity Management Connection Start Events filter 82Identity Management Events filter 85Identity Management Overview dashboard 75IDS -IPS Events filter 20, 50, 64, 124, 163Inbound Attacks filter 151, 163Inbound DoS Events - Yesterday report 60Inbound DoS Events trend 65, 144Inbound Event Spikes dashboard 60Inbound Event Spikes for Hosts data monitor 62Inbound Event Spikes for Networks data monitor 63Inbound Event Spikes for Services data monitor 62Inbound Events filter 50, 152, 163Inbound Events for Hosts filter 64Inbound Events for Networks filter 64Inbound Events for Service filter 63Infected Systems query 25Infiltrators List active list 48Infrastructure asset category 148Internal Source filter 49, 143, 151, 163, 178Internal Target filter 49, 64, 70, 101, 143, 151, 163,

178Internal to Internal Events filter 178Intrusion Monitoring - Significant Events active channel145

LLast 10 Anti-Virus Errors data monitor 24Last 10 Failed Login Events data monitor 80, 81Last 10 Hosts Scanned data monitor 99Last 10 Scanners data monitor 100Last 10 Successful Login Events data monitor 80, 81, 82Last 10 Zones Scanned data monitor 100Location asset category 147LockedCount is NULL filter 83Login Errors by User (Chart) query 93Login Errors by User query 92Login Errors by User report 77Login Event Audit focused report 87, 89, 90Login Event Audit query 91Login Event Audit report 75Login Events filter 82Login Results data monitor 81Login Tracking resource group 74LoginCount is NULL or 0 filter 84

MMicrosoft asset category 142, 160Multi Host Application Brute Force Logins rule 43Multiple Login Attempts to Locked Windows Account rule44Multiple Windows Logins by Same User rule 47

NNetwork Events filter 82Network Login Events filter 84Network Login Overview dashboard 74Non-ArcSight Events filter 50, 152, 164Non-ArcSight Internal Events filter 57, 64, 70, 85, 100, 143, 152North America asset category 160Not Correlated and Not Closed and Not Hidden filter 100Notify on Successful Attack rule 44Number of Failed Logins - Daily report 123Number of Failed Logins - Today report 124Number of Failed Logins - Weekly report 123Number of Vulnerabilities per Asset query 127Number of Vulnerabilities per Asset trend 128Number of Vulnerabilities per Week query 127

OOperating System asset category 68, 142Operating System Events filter 85Operating System Login Events filter 83Operating System Login Overview dashboard 75Operating System Overview active channel 67Operating Systems Event Counts data monitor 69Operations asset category 147Outbound Events filter 49, 178

Ppackages


Index

deleting 12installing 11uninstalling 11

Port Scanning Activity report 98Port Scanning Activity Trend report 96Port Scanning Daily Top 20 trend 104Port Scanning Daily Top 20, Trend on Trend query 102Port Scanning trend 105Port Scanning Trend query 102Ports Scanned query 102Possible Attack Events filter 34, 63Possible DoS on Hosts rule 60Possible DoS on Network rule 61Possible DoS on Services rule 61Possible Internal Network Sweep rule 176Possible Outbound Network Sweep rule 176Prioritized Attack Counts by Service - Last 24 Hours re-port 29Prioritized Attack Counts by Service - Last Hour query 34Prioritized Attack Counts by Service - Trend query 35Prioritized Attack Counts by Service Query on Trend que-ry 34Prioritized Attack Counts by Service trend 36Prioritized Attack Counts by Target Zone - Last 24 Hours report 29Prioritized Attack Counts by Target Zone - Last Hour que-ry 34Prioritized Attack Counts by Target Zone - Trend query35Prioritized Attack Counts by Target Zone Query on Trend query 35Prioritized Attack Counts by Target Zone trend 35Prioritized Scanning Activity by Business Role report 97Prioritized Scanning Activity by Zone report 97Prioritized Vulnerabilities in Events by Zone query 171Prioritized Vulnerability Events by Zone trend 172Probable Attack - Script Attack rule 47Probable Successful Attack - Brute Force rule 47Probable Successful Attack - DoS rule 43Probable Successful Attack - Execute rule 46Probable Successful Attack - Exploit rule 42Probable Successful Attack - Information Leak rule 46Probable Successful Attack - Probable Redirect Attack rule 45Probable Successful Attack - Repetitive Exploit Events rule 40Probable Successful Attack - System Configuration rule41Protected asset category 49, 62, 68, 99, 142, 147, 160, 177Proxy asset category 177

Qqueries

Access Active Sessions 116Access Attempts by Resource 117Access Closed Sessions 116Alert Counts by Device 20Alert Counts by Port 20Alert Counts by Severity 20Alert Counts by Severity (Chart) 20Alert Counts by Type 20Alert Counts per Hour 21Anti-Virus Errors 26

Assets Counts by Vulnerability Trend 171Attack Counts by Service Query on Trend 35Attack Counts by Target Zone Query on Trend 34Attacker Counts by ArcSight Priority 51Attacker Counts by Attacker Port 53Attacker Counts by Device 52Attacker Counts By Target 52Attacker Counts by Target Port 50Attacker Port Counts 51Bottom 10 Attack Sources 53Bottom 10 Attackers 50Bottom 10 Targets 166Brute Force Access Active Sessions 116Brute Force Access Active Sessions on Trend 116Brute Force Access Closed Sessions 117Brute Force Access Closed Sessions on Trend 115Brute Force Access Sessions Trend 116Business Role - Attempted Attacks 58Business Role - Successful Attacks 58Business Roles Scanned 102By User Account - Compromised - Access 165By User Account - Compromised - All Activity 166Closed Connection Durations 93Closed VPN Connection Durations 51Daily Port Scanning Activity on Trend 103Daily Port Scanning Activity on Trend (Chart Query)

103Daily Scanning Events by Business Role on Trend

104Daily Top 10 Resource Access on Trend 115Denied Inbound Connections by Address 52Denied Inbound Connections by Port 51Denied Inbound Connections per Hour 51Denied Inbound Connections per Hour (Chart) 53Denied Outbound Connections by Address 52Denied Outbound Connections by Port 52Denied Outbound Connections per Hour 52Denied Outbound Connections per Hour (Chart) 53Device SNMP Authentication Failures 94Device SNMP Authentication Failures by User 93Environment Status Events - Trend 72Environment Status Events over the Last 24 Hours

(Chart Query) 73Failed Anti-Virus Updates 25Failed Anti-Virus Updates Chart 25Failed Login Attempts 92Failed Login Attempts (Chart) 93Failed Login by User 92Failed Login by User (Chart) 92Failed Logins by Destination Address (Chart) 91Failed Logins by Source Address (Chart) 93Failed Logins by Source-Destination Pair 93Failed Logins per Day 127Failed Logins per Hour 125, 126Infected Systems 25Login Errors by User 92Login Errors by User (Chart) 93Login Event Audit 91Number of Vulnerabilities per Asset 127Number of Vulnerabilities per Week 127Port Scanning Daily Top 20, Trend on Trend 102Port Scanning Trend 102Ports Scanned 102Prioritized Attack Counts by Service - Last Hour 34Prioritized Attack Counts by Service - Trend 35


Index

Prioritized Attack Counts by Service Query on Trend34

Prioritized Attack Counts by Target Zone - Last Hour34

Prioritized Attack Counts by Target Zone - Trend 35Prioritized Attack Counts by Target Zone Query on

Trend 35Prioritized Vulnerabilities in Events by Zone 171Recent Activity Affecting Target Assets in Compro-

mised List 166Recent Activity Affecting Target Assets in Hit List

167Recent Activity Affecting Target Assets in Scanned

List 166Reconnaissance Activity Trend 103Reconnaissance Types Detected 102Reconnaissance Types Detected on Trend 101Reconnaissance Types Detected on Trend (Chart

Query) 103Reconnaissance Types Detected Trend 104Regulated Systems - By Attack 107Regulated Systems - By Host - Attacked 108Regulated Systems - Count Vulnerabilities 108Resource Access Attempts 116Resource Access on Trend 116Resource Access Trend 117Resource Accesses 115Revenue Generating Systems - Attacked 121Revenue Generating Systems - Compromise - All

121Revenue Generating Systems - Compromise - Avail-

ability 121Revenue Generating Systems - Compromise - Con-

fidentiality 121Revenue Generating Systems - Compromise - In-

tegrity 121SANS Top 20 (v6.01) Attacked Systems - hourly 143Sarbanes-Oxley - Top 10 Targets 107SIS-Assets Compromised Table Query 153SIS-Cases Added Table Query 153SIS-Event Count by Agent Severity Chart Query 152SIS-Notifications Sent Table Query 153SIS-Top Attackers Chart Query 153SIS-Top Attacks Table Query 153SIS-Top Events Table Query 153SIS-Top Firing Rules Table Query 152SIS-Top Target Ports Chart Query 153SIS-Top Targets Chart Query 153SNMP Authentication Failures by Device 93Successful Inbound DoS Events - Trend 65, 144Successful Inbound DoS Events Last Hour 65Successful Inbound DoS Events Query on Trend 65,

143Successful Login by User 92Successful Login by User (Chart) 94Successful Logins by Destination Address (Chart)

93Successful Logins by Source Address (Chart) 91Successful Logins by Source-Destination Pair 94Target Counts by ArcSight Priority 165Target Counts by Attacker 166Target Counts by Attacker Port 52Target Counts by Device 167Target Counts by Event Name 167Target Counts by Target Port 166

Target Port Counts 166Targets in Compromised List 166Targets in Hit List 165Targets in Scanned List 164Top 10 Attack Signatures targeting Windows Assets

165Top 10 Attack Sources 51Top 10 Attacked Assets in North America 165Top 10 Attacker Details 51Top 10 Attackers 50Top 10 Daily Vulnerabilities in Events on Trend 171Top 10 Daily Vulnerability Events on Trend 172Top 10 Reconnaissance Types Detected on Trend

101Top 10 Talkers 126Top 10 Targets 125, 165Top Alert Destinations 165Top Alert Sources 51Top Anti-Virus Errors 26Top Application Status Events on Trend 71Top Application Status Events over the Last 24

Hours 72Top Application Status Events over the Last 24

Hours (Chart Query) 73Top Attacker Ports 50Top Connection Durations 92Top Hosts by Number of Connections 93Top IDS and IPS Alerts 20, 126Top IDS Signature Destinations per Day 127Top IDS Signature Sources per Day 126Top IDS Signatures by IDS Product 126Top Infected Systems 26Top N Vulnerabilities in Events on Trend 171Top Operating System Status Events on Trend 72Top OS Status Events over the Last 24 Hours 71Top OS Status Events over the Last 24 Hours (Chart

Query) 73Top Service Status Events on Trend 71Top Service Status Events over the Last 24 Hours

72Top Service Status Events over the Last 24 Hours

(Chart Query) 71Top Status Events on Trend 71Top Target Ports Chart 167Top Users by Connection Count 53, 92Top Users with Failed Logins per Day 125, 127Top Users with Failed Logins per Week 126Top VPN Connection Durations 52Top Vulnerable Systems per Week 126Top Zones with Anti-Virus Errors 25Update Summary 26Update Summary Chart 26User Activity 91Users by Connection Count 52, 92Users with Open Connections 91Users with Open VPN Connections 53Virus Activity by Hour 25Vulnerabilities (by Asset Counts) on Trend 171Vulnerabilities and Assets 170Vulnerabilities in Events by Zone (Chart Query) 171Vulnerability Scanner Logs 127Windows Events 92Worm Infected Systems 178Zone Scanning Activity on Trend 104Zone Scanning Activity on Trend (Chart Query) 104


Index

Zone Scanning Events 101Zone Scanning Events by Priority Trend 103

RRecent Activity Affecting Target Assets in Compromised List query 166Recent Activity Affecting Target Assets in Compromised List report 157Recent Activity Affecting Target Assets in Hit List query167Recent Activity Affecting Target Assets in Hit List report159Recent Activity Affecting Target Assets in Scanned List query 166Recent Activity Affecting Target Assets in Scanned List report 156Recent Events data monitor 149Reconnaissance Activity active channel 96Reconnaissance Activity trend 105Reconnaissance Activity Trend query 103Reconnaissance Events (Internal Targets) filter 101Reconnaissance Events by Attacker filter 100Reconnaissance Events by Target filter 100Reconnaissance Events by Target Zone filter 100Reconnaissance Graph dashboard 96Reconnaissance Graph data monitor 100Reconnaissance in Progress dashboard 96Reconnaissance List active list 99Reconnaissance resource group 95Reconnaissance Types Detected by Zone report 98Reconnaissance Types Detected on Trend (Chart Query) query 103Reconnaissance Types Detected on Trend query 101Reconnaissance Types Detected query 102Reconnaissance Types Detected trend 105Reconnaissance Types Detected Trend query 104Reconnaissance Types Detected Trend report 97Regulated Systems - By Attack query 107Regulated Systems - By Attack report 107Regulated Systems - By Host - Attacked query 108Regulated Systems - By Host - Attacked report 106Regulated Systems - Count Vulnerabilities query 108Regulated Systems - Count Vulnerabilities report 106Regulated Systems resource group 106Regulated Systems use case 154Repetitive Firewall Block List active list 49reports

Access Activity 111Access Events by Database Resource 110Access Events by Email Resource 112Access Events by File Resource 111Access Events by Resource 112Alert Counts by Device 19Alert Counts by Port 19Alert Counts by Severity 20Alert Counts by Type 20Alert Counts per Hour 19Asset Vulnerability List 169Attacker Counts by ArcSight Priority 39Attacker Counts by Attacker Port 38Attacker Counts by Device 40Attacker Counts By Target 38Attacker Counts by Target Port 40Attacker Port Counts 39

Bottom N Attack Sources 40Bottom N Attackers 39Bottom N Targets 158Brute Force Access Activity 111Brute Force Session Trends 110Business Role - Attempted Attacks 56Business Role - Successful Attacks 56By User Account - Compromised - Access 158By User Account - Compromised - All Activity 159Connection Counts by User 38, 76Connection Durations by User 76Daily Top 10 Resource Access Trends 113Daily Top 10 Vulnerabilities in Events Trend 169Database Resource Access by Users 111Denied Inbound Connections by Address 39Denied Inbound Connections by Port 40Denied Inbound Connections per Hour 38Denied Outbound Connections by Address 39Denied Outbound Connections by Port 37Denied Outbound Connections per Hour 38Device SNMP Authentication Failures 75Email Resource Access by Users 111Environment Status Events over the Last 24 Hours

67Errors Detected in Anti-Virus Deployment 23Failed Anti-Virus Updates 23Failed Login Attempts 75Failed Logins by Destination Address 76Failed Logins by Source Address 77Failed Logins by User 76File Resource Access by Users 112Inbound DoS Events - Yesterday 60Login Errors by User 77Login Event Audit 75Number of Failed Logins - Daily 123Number of Failed Logins - Today 124Number of Failed Logins - Weekly 123Port Scanning Activity 98Port Scanning Activity Trend 96Prioritized Attack Counts by Service - Last 24 Hours

29Prioritized Attack Counts by Target Zone - Last 24

Hours 29Prioritized Scanning Activity by Business Role 97Prioritized Scanning Activity by Zone 97Recent Activity Affecting Target Assets in Compro-

mised List 157Recent Activity Affecting Target Assets in Hit List

159Recent Activity Affecting Target Assets in Scanned

List 156Reconnaissance Types Detected by Zone 98Reconnaissance Types Detected Trend 97Regulated Systems - By Attack 107Regulated Systems - By Host - Attacked 106Regulated Systems - Count Vulnerabilities 106Resource Access by Users 112Resource Access Trend 110Revenue Generating Systems - Attacked 119Revenue Generating Systems - Compromise - All

119Revenue Generating Systems - Compromise - Avail-

ability 120Revenue Generating Systems - Compromise - Con-

fidentiality 120


Index

Revenue Generating Systems - Compromise - In-tegrity 120

SANS Top 20 (v6.01) Attacked Systems - Hourly Re-port 130

SANS Top 20 (v6.01) Vulnerability Area Activity - Hourly Report 129

Sarbanes-Oxley - Top 10 Targets 107Scanning Activity by Business Role Trend 96Scanning Activity by Zone Trend 97Security Intelligence Status Report 147Successful Logins by Destination Address 76Successful Logins by Source Address 77Successful Logins by User 75Target Counts by ArcSight Priority 157Target Counts by Attacker 157Target Counts by Attacker Port 37Target Counts by Device 159Target Counts by Event Name 159Target Counts by Target Port 159Target Port Counts 157Targets in Compromised List 157Targets in Hit List 158Targets in Scanned List 156Top 10 Talkers 123Top 10 Vulnerable Systems - Today 122Top 10 Vulnerable Systems - Weekly 124Top 5 IDS Signature Destinations per Day 123Top 5 IDS Signature Sources per Day 123Top 5 IDS Signatures per Day 122Top 5 Users with Failed Logins - Daily 124Top 5 Users with Failed Logins - Today 122Top 5 Users with Failed Logins - Weekly 124Top Alert Destinations 158Top Alert Sources 39Top Alerts from IDS and IPS 19, 122Top Application Status Events over the Last 24

Hours 68Top Attacker Ports 38Top Attackers 39Top Hosts by Number of Connections 77Top Infected Systems 23Top N Attack Signatures Targeting Windows Assets

156Top N Attack Sources 39Top N Attacked Assets in North America 158Top N Attacker Details 38Top N Targets (3D Pie Chart) 157Top N Targets (Bar Chart) 156Top N Targets (Inverted Bar Chart) 159Top N Targets (Pie Chart) 158Top N Targets (Table and Chart) 158Top N Targets (Table) 157Top N Vulnerabilities on Assets 169Top OS Status Events over the Last 24 Hours 68Top Service Status Events over the Last 24 Hours

67Top Target IPs 124Top Target Ports Chart 157Top Targets 158Top Users by Average Session Length 37Top Vulnerabilities in Events Trend 169Total Number of Vulnerable Systems - Monthly 123Total Number of Vulnerable Systems - Yearly 123Trend: Environment Status Events - Yesterday 67Trend: Inbound DoS Events - Yesterday 60, 129

Trend: Prioritized Attack Counts by Service - Last 24 Hours 29

Trend: Prioritized Attack Counts by Target Zone - Last 24 Hours 30

Trend: Top Application Status Events over the Last 24 Hours 67

Trend: Top OS Status Events over the Last 24 Hours67

Trend: Top Service Status Events over the Last 24 Hours 68

Update Summary 23User Activity 76Virus Activity by Time 23Vulnerabilities and Assets 169Vulnerabilities in Events by Zone 169Vulnerability Scanner Logs - by Host 123Vulnerability Scanner Logs - by Vulnerability 124Windows Events 76Worm Infected Systems 175

Resource Access Attempts query 116Resource Access by Users report 112Resource Access field set 114Resource Access Initiation rule 113Resource Access on Trend query 116Resource Access resource group 109Resource Access session list 117Resource Access Termination rule 113Resource Access trend 118Resource Access Trend query 117Resource Access Trend report 110Resource Accesses query 115resource groups

Alerts from IDS-IPS 19Anti-Virus Activity and Status 22Attack Rates 27Attackers 37Business Impact Analysis 54DoS 59Environment State 66Login Tracking 74Reconnaissance 95Regulated Systems 106Resource Access 109Revenue Generating Systems 119SANS Top 20 129SANS Top 5 Reports 122Security Overview 145Targets 155Vulnerability 168Worm Outbreak 174

Revenue Generating Systems - Attacked query 121Revenue Generating Systems - Attacked report 119Revenue Generating Systems - Compromise - All query121Revenue Generating Systems - Compromise - All report119Revenue Generating Systems - Compromise - Availability query 121Revenue Generating Systems - Compromise - Availability report 120Revenue Generating Systems - Compromise - Confiden-tiality query 121Revenue Generating Systems - Compromise - Confiden-tiality report 120Revenue Generating Systems - Compromise - Integrity


Index

query 121Revenue Generating Systems - Compromise - Integrity report 120Revenue Generating Systems resource group 119Revenue Generating Systems use case 153Revenue Generation asset category 120, 147Role asset category 147rules

Application Brute Force Logins 44Attack from Source having Reconnaissance History

99Attack From Suspicious Source 45Blaster DDOS From Infected Host 175Blaster Infected Host 176Brute Force Logins 41Brute Force Resource Access Initiation 114Firewall - Application Protocol Scan 98Firewall - High Volume Accepts 44Firewall - Host Port Scan 98Firewall - Network Port Scan 99Firewall - Pass After Repetitive Blocks 42Firewall - Repetitive Block - In Progress 42High Number of IDS Alerts for Backdoor 42High Number of IDS Alerts for DoS 61Multi Host Application Brute Force Logins 43Multiple Login Attempts to Locked Windows Ac-

count 44Multiple Windows Logins by Same User 47Notify on Successful Attack 44Possible DoS on Hosts 60Possible DoS on Network 61Possible DoS on Services 61Possible Internal Network Sweep 176Possible Outbound Network Sweep 176Probable Attack - Script Attack 47Probable Successful Attack - Brute Force 47Probable Successful Attack - DoS 43Probable Successful Attack - Execute 46Probable Successful Attack - Exploit 42Probable Successful Attack - Information Leak 46Probable Successful Attack - Probable Redirect At-

tack 45Probable Successful Attack - Repetitive Exploit

Events 40Probable Successful Attack - System Configuration

41Resource Access Initiation 113Resource Access Termination 113SANS Top 20 Email (v6.01) - Microsoft Office XP

Buffer Overflow Vulnerabilities 134SANS Top 20 Email (v6.01) - Microsoft OLE and

COM Remote Code Execution Vulnerabil-ities 142

SANS Top 20 OS (v6.01) - Microsoft Exchange SMTP Service Vulnerabilities 139

SANS Top 20 OS (v6.01) - Microsoft License Log-ging Service Vulnerabilities 138

SANS Top 20 OS (v6.01) - Microsoft Message Queu-ing Service Vulnerabilities 141

SANS Top 20 OS (v6.01) - Microsoft MSDTC and COM Service Vulnerabilities 140

SANS Top 20 OS (v6.01) - Microsoft NetDDE Service Vulnerabilities 136

SANS Top 20 OS (v6.01) - Microsoft NNTP Service Vulnerabilities 137

SANS Top 20 OS (v6.01) - Microsoft Plug and Play Service Vulnerabilities 135

SANS Top 20 OS (v6.01) - Microsoft SMB Service Vulnerabilities 133

SANS Top 20 OS (v6.01) - Microsoft Task Scheduler Service Vulnerabilities 131

SANS Top 20 OS (v6.01) - Microsoft WINS Vulnera-bilities 132

Successful Windows Login 78Successful Windows Logout 78Suspicious Activity - Excess Suspicious Activity 45Suspicious Activity - Packet Manipulation 41Suspicious Activity - Suspicious File Activity 47Suspicious Communication From Attacked Target

45SYN Flood Detected by IDS or Firewall 61Traffic From Dark Address Space 40Traffic To Dark Address Space 159User Session (Accounting User) Started 77User Session (Accounting User) Stopped 78User Session (Administrative User) Started 78User Session (Administrative User) Stopped 77User Session (Normal User) Started 79User Session (Normal User) Stopped 78User VPN Session Started 79User VPN Session Stopped 79Windows Account Created 79Windows Account Created and Deleted within 1

Hour 46Windows Account Locked Out 78Windows Account Locked Out Multiple Times 43Worm Outbreak Detected 175

SSANS Top 20 (v6.01) Attacked Systems - hourly query143SANS Top 20 (v6.01) Attacked Systems - Hourly Report report 130SANS Top 20 (v6.01) Vulnerability Area Activity - Hourly Report report 129SANS Top 20 Email (v6.01) - Microsoft Office XP Buffer Overflow Vulnerabilities rule 134SANS Top 20 Email (v6.01) - Microsoft OLE and COM Re-mote Code Execution Vulnerabilities rule 142SANS Top 20 OS (v6.01) - Microsoft Exchange SMTP Ser-vice Vulnerabilities rule 139SANS Top 20 OS (v6.01) - Microsoft License Logging Ser-vice Vulnerabilities rule 138SANS Top 20 OS (v6.01) - Microsoft Message Queuing Service Vulnerabilities rule 141SANS Top 20 OS (v6.01) - Microsoft MSDTC and COM Service Vulnerabilities rule 140SANS Top 20 OS (v6.01) - Microsoft NetDDE Service Vul-nerabilities rule 136SANS Top 20 OS (v6.01) - Microsoft NNTP Service Vul-nerabilities rule 137SANS Top 20 OS (v6.01) - Microsoft Plug and Play Ser-vice Vulnerabilities rule 135SANS Top 20 OS (v6.01) - Microsoft SMB Service Vulner-abilities rule 133SANS Top 20 OS (v6.01) - Microsoft Task Scheduler Ser-vice Vulnerabilities rule 131SANS Top 20 OS (v6.01) - Microsoft WINS Vulnerabilities rule 132


Index

SANS Top 20 resource group 129SANS Top 5 Reports resource group 122Sarbanes-Oxley - Top 10 Targets query 107Sarbanes-Oxley - Top 10 Targets report 107Sarbanes-Oxley asset category 107Scanned List active list 99, 160Scanner Events filter 125, 170Scanning Activity by Business Role Trend report 96Scanning Activity by Zone Trend report 97Securit y Overview resource group 145Security Activity Statistics dashboard 146Security Devices asset category 147Security Intelligence Status Report report 147Service asset category 147Service Attacks dashboard 156Service Event Counts data monitor 68Service Overview active channel 66Service-Communications Attacks dashboard 156Service-Database Attacks dashboard 155Service-Email Attacks dashboard 155Services - Communications Service filter 164Services - Database Service filter 163Services - Email Service filter 164Services - Web Service filter 162Service-Web Attacks dashboard 155session lists

Brute Force Resource Access 117Resource Access 117User Sessions 94User VPN Sessions 53, 94

shared libraries 7SIS-Assets Compromised Table Query query 153SIS-Cases Added Table Query query 153SIS-Event Count by Agent Severity Chart Query query152SIS-Notifications Sent Table Query query 153SIS-Top Attackers Chart Query query 153SIS-Top Attacks Table Query query 153SIS-Top Events Table Query query 153SIS-Top Firing Rules Table Query query 152SIS-Top Target Ports Chart Query query 153SIS-Top Targets Chart Query query 153SNMP Authentication Failures by Device query 93Status by Business Role data monitor 149Status by Business Role filter 151Status by Development and Operations Roles data mon-itor 148Status by Infrastructure Role data monitor 148Status by Revenue Generation Role data monitor 150Status by Security Device Role data monitor 149Status by Service Role data monitor 150Status Overview field set 69Successful Attacks filter 57, 152Successful Firewall Login Events filter 85Successful Inbound Attacks dashboard 156Successful Inbound Attacks data monitor 149, 162Successful Inbound DoS Events - Trend Filter filter 64, 142Successful Inbound DoS Events - Trend query 65, 144Successful Inbound DoS Events Last Hour query 65Successful Inbound DoS Events Query on Trend query65, 143Successful Login by User (Chart) query 94Successful Login by User query 92Successful Login Events filter 83

Successful Logins by Destination Address (Chart) query93Successful Logins by Destination Address focused report87, 88Successful Logins by Destination Address report 76Successful Logins by Source Address (Chart) query 91Successful Logins by Source Address focused report 85, 86, 89, 90Successful Logins by Source Address report 77Successful Logins by Source-Destination Pair query 94Successful Logins by User focused report 86, 87, 88, 90Successful Logins by User report 75Successful Network Login Events filter 83Successful Operating System Login Events filter 83Successful VPN Login Events filter 84Successful Windows Login filter 49, 84Successful Windows Login rule 78Successful Windows Logout filter 82Successful Windows Logout rule 78Suspicious Activity - Excess Suspicious Activity rule 45Suspicious Activity - Packet Manipulation rule 41Suspicious Activity - Suspicious File Activity rule 47Suspicious Communication From Attacked Target rule 45Suspicious List active list 48, 99, 159SYN Flood Detected by IDS or Firewall rule 61

TTarget Address is NULL filter 24Target Asset has Asset Name filter 64, 70, 143Target Asset has OS Categorization filter 70Target Counts by ArcSight Priority query 165Target Counts by ArcSight Priority report 157Target Counts by Attacker Port query 52Target Counts by Attacker Port report 37Target Counts by Attacker query 166Target Counts by Attacker report 157Target Counts by Device query 167Target Counts by Device report 159Target Counts by Event Name query 167Target Counts by Event Name report 159Target Counts by Target Port query 166Target Counts by Target Port report 159Target Host Name is NULL filter 24Target Object starts with Host Application filter 70Target Port Activity by Attacker data monitor 177Target Port Activity By Attacker filter 177Target Port Counts query 166Target Port Counts report 157Target Port is not NULL filter 34, 64, 70, 142Target Service Name is not NULL filter 34, 64, 70, 143Target User ID is NULL filter 49, 83Target User Name is NULL filter 85Target Zone is NULL filter 25Targeted Business Impact Analysis filter 57Targeted Zones by Service and Customer data monitor31Targeted Zones by Service data monitor 33Targets in Compromised List query 166Targets in Compromised List report 157Targets in Hit List query 165Targets in Hit List report 158Targets in Scanned List query 164Targets in Scanned List report 156Targets resource group 155


Index

TargetUser global variable 82Top 10 Alerts focused report 20Top 10 Anti-Virus Errors data monitor 23Top 10 Application Events data monitor 68Top 10 Attack Rate Statistics by Service and Zones dash-board 29Top 10 Attack Rate Statistics by Service dashboard 27Top 10 Attack Rate Statistics by Zones dashboard 28Top 10 Attack Signatures targeting Windows Assets que-ry 165Top 10 Attack Sources query 51Top 10 Attacked Assets in North America query 165Top 10 Attacked Services data monitor 32Top 10 Attacker Details query 51Top 10 Attacker Zones by Customer data monitor 33Top 10 Attacker Zones by Service and Customer data monitor 33Top 10 Attacker Zones by Service data monitor 31Top 10 Attacker Zones data monitor 32Top 10 Attackers focused report 50Top 10 Attackers query 50Top 10 Communications Service Targets data monitor162Top 10 Customer Attack Rate Statistics by Service and Zones dashboard 28Top 10 Customer Attack Rate Statistics by Service dash-board 28Top 10 Customer Attack Rate Statistics by Zones dash-board 29Top 10 Daily Vulnerabilities in Events on Trend query 171Top 10 Daily Vulnerability Events on Trend query 172Top 10 Daily Vulnerability Events trend 172Top 10 Database Service Targets data monitor 162Top 10 Email Service Targets data monitor 161Top 10 Infected Systems data monitor 23Top 10 Infections data monitor 23Top 10 Operating System Events data monitor 69Top 10 Reconnaissance Types Detected on Trend query101Top 10 Reconnaissance Types Detected trend 105Top 10 Service Events data monitor 68Top 10 Talkers query 126Top 10 Talkers report 123Top 10 Targeted Services by Customer data monitor 33Top 10 Targeted Zones by Customer data monitor 32Top 10 Targeted Zones by Service and Customer data monitor 31Top 10 Targeted Zones by Service data monitor 31Top 10 Targeted Zones data monitor 33Top 10 Targets focused report 164Top 10 Targets query 125, 165Top 10 Users With Failed Logins data monitor 80, 81, 82Top 10 Vulnerable Systems - Today report 122Top 10 Vulnerable Systems - Weekly report 124Top 10 Web Service Targets data monitor 162Top 10 Zones Scanned data monitor 100Top 5 IDS Signature Destinations per Day report 123Top 5 IDS Signature Sources per Day report 123Top 5 IDS Signatures per Day (Snort-Snort) focused re-port 125Top 5 IDS Signatures per Day report 122Top 5 Signatures per Day (CISCO-CiscoSecureIDS) fo-cused report 125Top 5 Users with Failed Logins - Daily report 124Top 5 Users with Failed Logins - Today report 122

Top 5 Users with Failed Logins - Weekly report 124Top Alert Destinations query 165Top Alert Destinations report 158Top Alert Sources query 51Top Alert Sources report 39Top Alerts from IDS and IPS report 19, 122Top Anti-Virus Errors query 26Top Application Status Events on Trend query 71Top Application Status Events over the Last 24 Hours (Chart Query) query 73Top Application Status Events over the Last 24 Hours query 72Top Application Status Events over the Last 24 Hours re-port 68Top Attacker IPs data monitor 148Top Attacker Ports query 50Top Attacker Ports report 38Top Attackers report 39Top Attackers Targeting Critical Assets data monitor 161Top Categories data monitor 150Top Connection Durations query 92Top Connectors data monitor 148Top Hosts by Number of Connections focused report 86, 89Top Hosts by Number of Connections query 93Top Hosts by Number of Connections report 77Top IDS and IPS Alerts query 20, 126Top IDS Signature Destinations per Day query 127Top IDS Signature Sources per Day query 126Top IDS Signatures by IDS Product query 126Top Infected Systems query 26Top Infected Systems report 23Top N Attack Signatures Targeting Windows Assets re-port 156Top N Attack Sources report 39Top N Attacked Assets in North America report 158Top N Attacker Details report 38Top N Targets (3D Pie Chart) report 157Top N Targets (Bar Chart) report 156Top N Targets (Inverted Bar Chart) report 159Top N Targets (Pie Chart) report 158Top N Targets (Table and Chart) report 158Top N Targets (Table) report 157Top N Vulnerabilities in Events on Trend query 171Top N Vulnerabilities on Assets report 169Top Operating System Status Events on Trend query 72Top OS Status Events over the Last 24 Hours (Chart Que-ry) query 73Top OS Status Events over the Last 24 Hours query 71Top OS Status Events over the Last 24 Hours report 68Top Service Status Events on Trend query 71Top Service Status Events over the Last 24 Hours (Chart Query) query 71Top Service Status Events over the Last 24 Hours query72Top Service Status Events over the Last 24 Hours report67Top Status Events on Trend query 71Top Target IPs data monitor 149Top Target IPs report 124Top Target Ports Chart query 167Top Target Ports Chart report 157Top Targets report 158Top Transport Protocols data monitor 150Top Users by Average Session Length report 37


Index

Top Users by Connection Count data monitor 81Top Users by Connection Count query 53, 92Top Users by Login Activity data monitor 80Top Users with Failed Logins per Day query 125, 127Top Users with Failed Logins per Day trend 127Top Users with Failed Logins per Week query 126Top VPN Connection Durations query 52Top Vulnerabilities in Events Trend report 169Top Vulnerable Systems per Week query 126Top Zones with Anti-Virus Errors query 25Total Number of Vulnerable Systems - Monthly report123Total Number of Vulnerable Systems - Yearly report 123Traffic From Dark Address Space rule 40Traffic To Dark Address Space rule 159Transport Protocol is not NULL filter 34, 65, 70, 143Trend: Environment Status Events - Yesterday report 67Trend: Inbound DoS Events - Yesterday report 60, 129Trend: Prioritized Attack Counts by Service - Last 24 Hours report 29Trend: Prioritized Attack Counts by Target Zone - Last 24 Hours report 30Trend: Top Application Status Events over the Last 24 Hours report 67Trend: Top OS Status Events over the Last 24 Hours re-port 67Trend: Top Service Status Events over the Last 24 Hours report 68trends

Asset Counts by Vulnerability 173Brute Force Access Session Trends 118Daily Top 10 Resource Access Trends 118Environment Status Events 73Failed Logins per Hour 128Inbound DoS Events 65, 144Number of Vulnerabilities per Asset 128Port Scanning 105Port Scanning Daily Top 20 104Prioritized Attack Counts by Service 36Prioritized Attack Counts by Target Zone 35Prioritized Vulnerability Events by Zone 172Reconnaissance Activity 105Reconnaissance Types Detected 105Resource Access 118Top 10 Daily Vulnerability Events 172Top 10 Reconnaissance Types Detected 105Top Users with Failed Logins per Day 127Zone Scanning Events by Priority 105

Trusted List active list 48, 61, 99, 114, 142, 176

UUntrusted List active list 48, 99, 176Update Events filter 25Update Summary Chart query 26Update Summary query 26Update Summary report 23use cases

Business Impact Analysis 154Environment State 153Regulated Systems 154Revenue Generating Systems 153

User Activity query 91User Activity report 76User Session (Accounting User) Started rule 77

User Session (Accounting User) Stopped rule 78User Session (Administrative User) Started rule 78User Session (Administrative User) Stopped rule 77User Session (Normal User) Started rule 79User Session (Normal User) Stopped rule 78User Sessions session list 94User VPN Session Started rule 79User VPN Session Stopped rule 79User VPN Sessions session list 53, 94User-based Rule Exclusions active list 48, 79Users by Connection Count query 52, 92Users with Open Connections query 91Users with Open VPN Connections query 53

VVery High asset category 161Very High Criticality Assets filter 163Virus Activity by Host data monitor 24Virus Activity by Hour query 25Virus Activity by Time report 23Virus Activity by Zone data monitor 24Virus Activity data monitor 23Virus Activity filter 24Virus Activity Overview dashboard 22Virus Activity Statistics dashboard 22VPN Events filter 82VPN Login Events filter 83VPN Login Overview dashboard 74Vulnerabilities (by Asset Counts) on Trend query 171Vulnerabilities and Assets query 170Vulnerabilities and Assets report 169Vulnerabilities asset category 142Vulnerabilities in Events by Zone (Chart Query) query171Vulnerabilities in Events by Zone report 169Vulnerability Events active channel 168Vulnerability field set 170Vulnerability resource group 168Vulnerability Scanner Events active channel 168Vulnerability Scanner field set 170Vulnerability Scanner Logs - by Host report 123Vulnerability Scanner Logs - by Vulnerability report 124Vulnerability Scanner Logs query 127

WWeb asset category 160Web Service Attack Activity data monitor 161Windows Account Created and Deleted within 1 Hour rule 46Windows Account Created rule 79Windows Account Locked Out Multiple Times rule 43Windows Account Locked Out rule 78Windows Created Accounts active list 49, 80Windows Events query 92Windows Events report 76Windows Locked Out Accounts active list 48, 79Windows Login Count active list 48, 80Worm Activity filter 178Worm Activity Status data monitor 177Worm Geo Filter filter 178Worm Infected Machines data monitor 149Worm Infected Systems active list 114, 176Worm Infected Systems dashboard 146


Index

Worm Infected Systems data monitor 149, 177Worm Infected Systems filter 178Worm Infected Systems query 178Worm Infected Systems report 175Worm Outbreak dashboard 174Worm Outbreak Detected rule 175Worm Outbreak filter 150, 177Worm Outbreak Overview dashboard 174Worm Outbreak resource group 174Worm Propagation by Host data monitor 177Worm Propagation by Zone data monitor 177Worm Spread data monitor 177

Worm Spread Geo View dashboard 174Worm Traffic filter 152, 178

ZZone Scanning Activity on Trend (Chart Query) query104Zone Scanning Activity on Trend query 104Zone Scanning Events by Priority trend 105Zone Scanning Events by Priority Trend query 103Zone Scanning Events query 101


Index


Documents

Standard Content Guide - community.microfocus.com · network model, refer to the ArcSight Console User’s Guide or the ESM online Help. To learn To learn more about the architecture